Vulnerability Description
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a participant ID to authorize deletions, enabling attackers to remove other users (including poll owners) from polls. This impacts the integrity and availability of poll participation data. This issue has been patched in version 4.5.4.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rallly | Rallly | < 4.5.4 |
Related Weaknesses (CWE)
References
- https://github.com/lukevella/rallly/releases/tag/v4.5.4Release Notes
- https://github.com/lukevella/rallly/security/advisories/GHSA-f8jc-6746-ww95ExploitVendor Advisory
FAQ
What is CVE-2025-65029?
CVE-2025-65029 is a vulnerability with a CVSS score of 8.1 (HIGH). Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participa...
How severe is CVE-2025-65029?
CVE-2025-65029 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-65029?
Check the references section above for vendor advisories and patch information. Affected products include: Rallly Rallly.