CVE-2025-65032
📋 TL;DR
An Insecure Direct Object Reference (IDOR) vulnerability in Rallly allows authenticated users to change other participants' display names in polls without proper authorization. This affects all Rallly instances running versions prior to 4.5.4. Attackers can manipulate the participantId parameter to modify names, potentially causing confusion or enabling impersonation attacks.
💻 Affected Systems
- Rallly
📦 What is this software?
Rallly by Rallly
⚠️ Risk & Real-World Impact
Worst Case
An attacker could systematically rename all participants in sensitive polls to cause confusion, impersonate administrators or key stakeholders, disrupt decision-making processes, or create misleading audit trails.
Likely Case
Malicious users rename other participants to cause confusion, create inappropriate names, or impersonate others in collaborative scheduling sessions, undermining trust in the platform.
If Mitigated
With proper access controls and input validation, only poll owners or administrators can modify participant names, maintaining data integrity and preventing unauthorized changes.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. Attackers simply need to modify the participantId parameter in rename requests to target other users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.4
Vendor Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-q9m7-chfx-43xw
Restart Required: Yes
Instructions:
1. Backup your Rallly instance and database. 2. Update to version 4.5.4 or later using your deployment method (Docker, manual, etc.). 3. Restart the Rallly service. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Implement API-level access controls
allAdd server-side authorization checks to verify users can only rename participants they own or have permission to modify.
Not applicable - requires code modification
Rate limit rename requests
allImplement rate limiting on participant rename endpoints to limit potential damage from automated attacks.
Not applicable - requires infrastructure configuration
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Rallly instances to trusted users only
- Enable detailed logging of all participant modification events and monitor for unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Check if your Rallly version is below 4.5.4. Attempt to rename another user's participant entry by modifying the participantId parameter in a rename request (test in controlled environment only).Check Version:
Check the Rallly web interface footer or API endpoint for version information, or inspect the Docker container tag if using Docker.Verify Fix Applied:
After updating to 4.5.4+, attempt the same rename attack. It should fail with proper authorization error. Verify the version shows 4.5.4 or higher.📡 Detection & Monitoring
Log Indicators:
- Multiple rename requests from same user targeting different participant IDs
- Rename requests where requester ID doesn't match participant owner ID
- Unusual spike in participant modification activity
Network Indicators:
- POST requests to participant rename endpoints with modified participantId parameters
- Pattern of rename requests across multiple poll IDs from single source
SIEM Query:
source="rallly" AND (event="participant_rename" OR endpoint="/api/participants/*/rename") | stats count by user_id, participant_id | where count > threshold