CVE-2025-65033
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-19

Last updated on: 2025-11-24

Assigner: GitHub, Inc.

Description
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-19
Last Modified
2025-11-24
Generated
2026-06-16
AI Q&A
2025-11-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65033
EUVD
EUVD-2025-198232
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rallly rallly to 4.5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authorization flaw in Rallly's poll management feature prior to version 4.5.4. It allows any authenticated user to pause or resume any poll, even if they do not own it. The system identifies polls only by a public pollId and does not verify if the user performing the action is the poll owner, enabling unauthorized users to disrupt polls created by others.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to disrupt the availability and integrity of polls within the Rallly application. Any authenticated user can pause or resume polls they do not own, potentially causing loss of availability and integrity of poll data and disrupting collaboration or scheduling activities.

Mitigation Strategies

Upgrade Rallly to version 4.5.4 or later, where the authorization flaw in the poll management feature has been patched. Until the upgrade is applied, restrict authenticated user access to poll management features to trusted users only to minimize the risk of unauthorized poll disruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65033. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart