CVE-2025-65021 CRITICAL

CVE-2025-65021: Rallly Has Unauthorized Poll Finalization via Insecure Direct Object Reference (IDOR)

Vendor Lukevella

Product rallly

Weakness CWE-285

Published November 19, 2025

Last update November 19, 2025

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users’ polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4.

Key dates

02Disclosure timeline

November 19, 2025 CVE published

November 19, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-65021 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/285.html

Related vulnerabilities

CVE-2025-65021: Rallly Has Unauthorized Poll Finalization via Insecure Direct Object Reference (IDOR)

01Description

02Disclosure timeline

03References

04Related CVE