CVE-2025-65021

CVE-2025-65021 is an Insecure Direct Object Reference (IDOR) vulnerability affecting Rallly, an open-source scheduling and collaboration tool, in versions prior to 4.5.4. The flaw resides in the poll finalization feature, where the application fails to properly validate ownership of the pollId parameter in requests. This allows manipulation of the parameter to target polls belonging to other users. The vulnerability is associated with CWE-285 (Improper Authorization), CWE-639 (Authorization Bypass Through User-Controlled Key), and CWE-862 (Missing Authorization), and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

Any authenticated user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By simply altering the pollId in the finalization request, an attacker can unauthorizedly finalize another user's poll, converting it into an event. This disrupts legitimate user workflows, compromises data integrity by altering poll states without permission, and impacts availability by preventing proper poll management.

The issue has been addressed in Rallly version 4.5.4, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to v4.5.4 or later and review access controls in similar parameter-driven features to prevent IDOR exposures. Relevant resources include the GitHub release at https://github.com/lukevella/rallly/releases/tag/v4.5.4 and the security advisory at https://github.com/lukevella/rallly/security/advisories/GHSA-x7w2-g548-4qg8.