Overview
We are shedding light on a critical security vulnerability, identified as CVE-2025-47781, that affects Rallly, an open-source scheduling and collaboration tool. This vulnerability has a significant impact on all users of the application, potentially leading to system compromise and data leakage. It lies within the application’s token-based authentication system, specifically in versions up to and including 3.22.1. The primary concern arises from the weak entropy of the 6-digit authentication token and absence of brute force protection, permitting unauthorized attackers to gain access to user accounts. This blog post aims to provide an in-depth analysis of the vulnerability, its potential impact, and recommended mitigation strategies.
Vulnerability Summary
CVE ID: CVE-2025-47781
Severity: Critical (9.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise or data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Rallly | Up to and including 3.22.1
How the Exploit Works
The vulnerability lies in the token-based authentication system of the Rallly application. Upon login, users insert their email, and a 6-digit code is sent to their email address to complete the authentication. This token, due to its low entropy, can be easily brute-forced by an attacker within the token’s expiration time of 15 minutes. Moreover, the absence of brute force protection escalates the risk. An attacker with knowledge of a valid email address could systematically and successfully brute force the token, enabling them to take over the associated account.
Conceptual Example Code
While the exact code to exploit the vulnerability is beyond the scope of this article, a conceptual example would involve an iterative process of attempting to authenticate with all possible 6-digit codes. This could be presented in pseudocode as follows:
for code in range(100000, 999999):
response = requests.post(
"https://www.rallly.co/api/auth/callback/email",
data={'email': 'target@example.com', 'token': str(code)}
)
if response.status_code == 200:
print(f"Successful authentication with token: {code}")
breakThis code fragment illustrates the process of attempting authentication with all possible 6-digit codes. On a successful authentication, the process breaks and prints the successful token.
Mitigation
As of the time of publication, no patched versions are available. However, until a security patch is released by Rallly, users are advised to employ Web Application Firewalls (WAF) or Intrusion Detection Systems (IDS) as temporary mitigation. These systems can help detect and prevent potential brute force attacks. Furthermore, it is recommended to use unique email addresses not publicly associated with users, reducing the chance for attackers to guess the email addresses used for registration on the application.