Home > Vulnerability Database > CVE-2025-65031

Mend.io Vulnerability Database

CVE-2025-65031

Good to know:

Date: November 19, 2025

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks. This issue has been patched in version 4.5.4.

Severity Score

6.5

Related Resources (4)

Url: https://github.com/lukevella/rallly/security/advisories/GHSA-hhfc-6gq7-rrpm

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-65031

Url: https://github.com/lukevella/rallly/releases/tag/v4.5.4

Url: https://www.mend.io/vulnerability-database/CVE-2025-65031

Severity Score

6.5

Weakness Type (CWE)

Improper Authorization

CWE-285

Authorization Bypass Through User-Controlled Key

CWE-639

Top Fix

Upgrade Version

Upgrade to version https://github.com/lukevella/rallly.git - v4.5.4

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-65031

Good to know:

Date: November 19, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?