Insecure Direct Object Reference in Rallly Scheduling Tool
CVE-2025-65021

9.1CRITICAL

Key Information:

Vendor: Lukevella
Status: Rallly
Vendor: CVE Published:; 19 November 2025

What is CVE-2025-65021?

Rallly, an open-source scheduling and collaboration tool, is impacted by an Insecure Direct Object Reference vulnerability in its poll finalization feature. Prior to version 4.5.4, this vulnerability allows authenticated users to manipulate the pollId parameter in requests, enabling them to finalize polls they do not own. This lack of proper authorization checks can disrupt workflows and lead to data integrity issues, as unauthorized users can hijack and convert other users’ polls into events. Developers have addressed this issue in version 4.5.4, providing users with vital security enhancements.

Affected Version(s)

rallly < 4.5.4

References

https://github.com/lukevella/rallly/security/advisories/G...

x_refsource_CONFIRM

https://github.com/lukevella/rallly/releases/tag/v4.5.4

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2025
Vulnerability Reserved
Nov 13, 2025

JSON

Lukevella

What is CVE-2025-65021?

Affected Version(s)

References

CVSS V3.1

Timeline