Overview
We are shedding light on a critical security vulnerability, identified as CVE-2025-47781, that affects Rallly, an open-source scheduling and collaboration tool. This vulnerability has a significant impact on all users of the application, potentially leading to system compromise and data leakage. It lies within the application’s token-based authentication system, specifically in versions up to and including 3.22.1. The primary concern arises from the weak entropy of the 6-digit authentication token and absence of brute force protection, permitting unauthorized attackers to gain access to user accounts. This blog post aims to provide an in-depth analysis of the vulnerability, its potential impact, and recommended mitigation strategies.
Vulnerability Summary
CVE ID: CVE-2025-47781
Severity: Critical (9.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise or data leakage
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
Rallly | Up to and including 3.22.1
How the Exploit Works
The vulnerability lies in the token-based authentication system of the Rallly application. Upon login, users insert their email, and a 6-digit code is sent to their email address to complete the authentication. This token, due to its low entropy, can be easily brute-forced by an attacker within the token’s expiration time of 15 minutes. Moreover, the absence of brute force protection escalates the risk. An attacker with knowledge of a valid email address could systematically and successfully brute force the token, enabling them to take over the associated account.
Conceptual Example Code
While the exact code to exploit the vulnerability is beyond the scope of this article, a conceptual example would involve an iterative process of attempting to authenticate with all possible 6-digit codes. This could be presented in pseudocode as follows:
for code in range(100000, 999999):
response = requests.post(
"https://www.rallly.co/api/auth/callback/email",
data={'email': 'target@example.com', 'token': str(code)}
)
if response.status_code == 200:
print(f"Successful authentication with token: {code}")
breakThis code fragment illustrates the process of attempting authentication with all possible 6-digit codes. On a successful authentication, the process breaks and prints the successful token.
Mitigation
As of the time of publication, no patched versions are available. However, until a security patch is released by Rallly, users are advised to employ Web Application Firewalls (WAF) or Intrusion Detection Systems (IDS) as temporary mitigation. These systems can help detect and prevent potential brute force attacks. Furthermore, it is recommended to use unique email addresses not publicly associated with users, reducing the chance for attackers to guess the email addresses used for registration on the application.