CVE-2025-65029

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-65029
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65029.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-65029
Aliases
  • GHSA-f8jc-6746-ww95
Published
2025-11-19T17:24:45.509Z
Modified
2026-04-02T13:00:32.915681Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
Rallly Has an IDOR Vulnerability in Participant Deletion Endpoint Allows Unauthorized Removal of Poll Participants
Details

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a participant ID to authorize deletions, enabling attackers to remove other users (including poll owners) from polls. This impacts the integrity and availability of poll participation data. This issue has been patched in version 4.5.4.

Database specific 
{
    "cwe_ids": [
        "CWE-285",
        "CWE-639",
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65029.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/lukevella/rallly

Affected ranges

Type
GIT
Repo
https://github.com/lukevella/rallly
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0bc349040885ba48ac02ce386140084b0d847a9a

Affected versions

v2.*
v2.0.0
v2.1.0
v2.1.1
v2.10.0
v2.11.0
v2.11.1
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.3.0
v2.3.1
v2.4.0
v2.4.1
v2.5.0
v2.5.1
v2.6.0
v2.7.0
v2.7.1
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.9.0
v2.9.1
v2.9.2
v3.*
v3.0.0
v3.0.0-rc1
v3.0.1
v3.1.0
v3.1.1
v3.10.0
v3.10.1
v3.11.0
v3.11.1
v3.11.2
v3.2.0
v3.2.1
v3.3.0
v3.4.0
v3.4.1
v3.4.2
v3.5.0
v3.5.1
v3.6.0
v3.6.1
v3.7.0
v3.8.0
v3.8.1
v3.9.0
v3.9.1
v3.9.1-fork.1
v3.9.1-fork.2
v3.9.1-fork.3
v3.9.1-fork.4
v3.9.1-fork.5
v3.9.1-fork.6
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.1.0
v4.1.1
v4.1.2
v4.2.0
v4.3.0
v4.3.1
v4.4.0
v4.4.1
v4.5.0
v4.5.1
v4.5.2
v4.5.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65029.json"