CVE-2025-65033
📋 TL;DR
This CVE describes an authorization flaw in Rallly's poll management feature where any authenticated user can pause or resume any poll by using only the public pollId, without ownership verification. This affects all Rallly instances running versions before 4.5.4, allowing users to disrupt polls created by others and compromise application integrity and availability.
💻 Affected Systems
- Rallly
📦 What is this software?
Rallly by Rallly
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could systematically pause all polls in the system, causing widespread disruption to scheduling and collaboration activities across the entire organization.
Likely Case
Users accidentally or intentionally pause/resume polls they don't own, causing confusion and disruption to legitimate scheduling activities.
If Mitigated
With proper authorization checks, only poll owners can manage their polls, maintaining system integrity.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial - users simply need to know or guess poll IDs and call the pause/resume endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.4
Vendor Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3
Restart Required: Yes
Instructions:
1. Backup your Rallly instance. 2. Update to version 4.5.4 or later using your deployment method (Docker, manual, etc.). 3. Restart the application. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable poll management endpoints
allTemporarily disable the pause/resume poll endpoints via web server configuration or application firewall rules
# Example nginx location block to block poll management endpoints
location ~ ^/api/polls/(.*)/(pause|resume)$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Rallly to only trusted users
- Add a reverse proxy or WAF with custom rules to validate poll ownership before allowing pause/resume requests
🔍 How to Verify
Check if Vulnerable:
Check if authenticated users can pause/resume polls they don't own by testing with two different user accountsCheck Version:
Check the Rallly version in the admin interface or via the application's version endpointVerify Fix Applied:
After patching, verify that only poll owners can pause/resume their polls using proper authorization checks📡 Detection & Monitoring
Log Indicators:
- Unauthorized pause/resume API calls in application logs
- Multiple failed authorization attempts for poll management
Network Indicators:
- POST requests to /api/polls/{pollId}/pause or /api/polls/{pollId}/resume from non-owner users
SIEM Query:
source="rallly" AND (uri_path="/api/polls/*/pause" OR uri_path="/api/polls/*/resume") AND user_id!=poll_owner_id