What is CVE-2025-65021?

CVE-2025-65021 is a critical-severity vulnerability in Lukevella Rallly, classified under Improper Authorization. CVSS score: 9.1/10. Published 2025-11-19.

How severe is CVE-2025-65021?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Auth bypass in Lukevella Rallly

CVE-2025-65021

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a…

EPSS: 0.001 (23.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.

Affected products

Lukevella Rallly — versions < 4.5.4

Weakness classification (CWE)

References

https://github.com/lukevella/rallly/security/advisories/GHSA-x7w2-g548-4qg8 (x_refsource_CONFIRM)
https://github.com/lukevella/rallly/releases/tag/v4.5.4 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-65021?: CVE-2025-65021 is a critical-severity vulnerability in Lukevella Rallly, classified under Improper Authorization. CVSS score: 9.1/10. Published 2025-11-19.
How severe is CVE-2025-65021?: Critical severity. CVSS v3 base score is 9.1 out of 10.