Vulnerability Description
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users’ polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rallly | Rallly | < 4.5.4 |
Related Weaknesses (CWE)
References
- https://github.com/lukevella/rallly/releases/tag/v4.5.4Release Notes
- https://github.com/lukevella/rallly/security/advisories/GHSA-x7w2-g548-4qg8ExploitVendor Advisory
FAQ
What is CVE-2025-65021?
CVE-2025-65021 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application....
How severe is CVE-2025-65021?
CVE-2025-65021 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-65021?
Check the references section above for vendor advisories and patch information. Affected products include: Rallly Rallly.