CVE-2025-66027 – This CVE describes an information disclosure vu... (How to Fix)

Q: What is the severity of CVE-2025-66027?

CVE-2025-66027 has a CVSS score of 6.5 (MEDIUM). This CVE describes an information disclosure vulnerability in Rallly, an open-source scheduling tool. It allows unauthorized access to participant names and email addresses through a specific API endpoint, bypassing Pro privacy features. All Rallly instances running versions before 4.5.6 are affected.

📋 TL;DR

This CVE describes an information disclosure vulnerability in Rallly, an open-source scheduling tool. It allows unauthorized access to participant names and email addresses through a specific API endpoint, bypassing Pro privacy features. All Rallly instances running versions before 4.5.6 are affected.

💻 Affected Systems

Products:

Rallly

Versions: All versions prior to 4.5.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with Pro privacy features enabled - the vulnerability bypasses these privacy controls.

📦 What is this software?

Rallly by Rallly

View all CVEs affecting Rallly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could harvest sensitive personal information (names and email addresses) of all participants in polls, potentially enabling targeted phishing campaigns or identity theft.

🟠

Likely Case

Unauthorized users accessing participant contact information they shouldn't be able to see, violating privacy expectations and potentially exposing users to spam or unwanted contact.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to authorized users who might still bypass intended privacy settings.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the API endpoint but doesn't require authentication beyond what's needed to access polls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.6

Vendor Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fg

Restart Required: Yes

Instructions:

1. Backup your Rallly instance and database
2. Update to version 4.5.6 using your deployment method (Docker, manual, etc.)
3. Restart the Rallly service
4. Verify the update was successful

🔧 Temporary Workarounds

API Endpoint Restriction

all

Block or restrict access to the vulnerable endpoint /api/trpc/polls.get,polls.participants.list

# Example nginx config to block endpoint
location /api/trpc/polls.get,polls.participants.list {
    deny all;
    return 403;
}

Network Segmentation

all

Restrict network access to Rallly API endpoints to authorized users only

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Rallly API
Monitor for unusual access patterns to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if your Rallly version is below 4.5.6 and test if the /api/trpc/polls.get,polls.participants.list endpoint returns participant details when Pro privacy is enabled.

Check Version:

Check the Rallly web interface settings or run: docker exec <container_name> node -e "console.log(require('./package.json').version)"

Verify Fix Applied:

After updating to 4.5.6, verify that the endpoint no longer returns participant details when Pro privacy features are enabled.

📡 Detection & Monitoring

Log Indicators:

Unusual number of requests to /api/trpc/polls.get,polls.participants.list
Requests from unexpected IP addresses to the vulnerable endpoint

Network Indicators:

Traffic patterns showing enumeration of poll IDs followed by access to participant endpoints

SIEM Query:

source="rallly" AND (uri_path="/api/trpc/polls.get,polls.participants.list" OR uri_path CONTAINS "polls.participants")

📊 Metadata

CVE ID: CVE-2025-66027

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.04% exploit probability (12.6th percentile)

Published: November 29, 2025

Last Updated: December 3, 2025

🔗 References

https://github.com/lukevella/rallly/commit/59738c04f9a8ec25f0af5ce20ad0eab6cf134963 Patch
https://github.com/lukevella/rallly/releases/tag/v4.5.6 Release Notes
https://github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fg Exploit,Vendor Advisory
https://github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fg Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66027, you might also want to check these: