{"id":41434,"date":"2025-05-20T23:51:33","date_gmt":"2025-05-20T23:51:33","guid":{"rendered":""},"modified":"2025-08-30T04:39:02","modified_gmt":"2025-08-30T10:39:02","slug":"cve-2025-47781-critical-vulnerability-in-rallly-s-token-based-authentication-system","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-47781-critical-vulnerability-in-rallly-s-token-based-authentication-system\/","title":{"rendered":"<strong>CVE-2025-47781: Critical Vulnerability in Rallly&#8217;s Token-Based Authentication System<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>We are shedding light on a critical security vulnerability, identified as CVE-2025-47781, that affects Rallly, an open-source scheduling and collaboration tool. This vulnerability has a significant impact on all users of the application, potentially leading to system compromise and data leakage. It lies within the application&#8217;s token-based <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-46584-improper-authentication-logic-vulnerability-in-file-system-module\/\"  data-wpil-monitor-id=\"57968\">authentication system<\/a>, specifically in versions up to and including 3.22.1. The primary concern arises from the weak entropy of the 6-digit authentication token and absence of brute force protection, permitting unauthorized <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-46739-unauthenticated-brute-force-attack-leads-to-account-compromise\/\"  data-wpil-monitor-id=\"46391\">attackers to gain access to user accounts<\/a>. This blog post aims to provide an <a href=\"https:\/\/www.ameeba.com\/blog\/the-expanding-landscape-of-cybersecurity-an-in-depth-analysis-of-the-global-report-2032\/\"  data-wpil-monitor-id=\"47569\">in-depth analysis<\/a> of the vulnerability, its potential impact, and recommended mitigation strategies.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-47781<br \/>\nSeverity: Critical (9.8)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-42977-path-handling-vulnerability-that-risks-data-leakage-and-system-compromise\/\"  data-wpil-monitor-id=\"56975\">System compromise or data leakage<\/a><\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-3165516826\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 720px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 22px; font-weight: 600; display: flex; align-items: center; letter-spacing: -0.02em;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 10px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 42px; height: 42px;\" \/>\r\n    <\/a>\r\n    Share secrets securely\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 14px; color: #d1d5db;\">\r\n    Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 18px; color: #a1a1aa;\">\r\n    Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 24px; color: #e4e4e7;\">\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Encrypted identity<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Private Spaces for organizations and teams<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 End-to-end encrypted chat, calls, files, and notes<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Sensitive AI work and protected collaboration<\/li>\r\n    <li>\u2022 Built for information that cannot leak<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px; color: #ffffff;\">\r\n    Our mission is to secure human work alongside AI.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 8px; font-weight: 500;\">\r\n      Download Ameeba\r\n    <\/a>\r\n\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 8px; font-weight: 500;\">\r\n      Learn More\r\n    <\/a>\r\n  <\/div>\r\n<\/div><\/div>\n<p>Product | Affected Versions<\/p>\n<p>Rallly | Up to and including 3.22.1<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-36546-ssh-key-based-authentication-vulnerability-in-f5os-systems\/\"  data-wpil-monitor-id=\"46385\">vulnerability lies in the token-based authentication<\/a> system of the Rallly application. Upon login, users insert their email, and a 6-digit code is sent to their email address to complete the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-52921-critical-vulnerability-in-innoshop-allows-code-execution-by-authenticated-attackers\/\"  data-wpil-monitor-id=\"63497\">authentication<\/a>. This token, due to its low entropy, can be easily <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-48187-ragflow-account-takeover-due-to-brute-force-attack-vulnerability\/\"  data-wpil-monitor-id=\"51216\">brute-forced by an attacker<\/a> within the token&#8217;s expiration time of 15 minutes. Moreover, the absence of <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-7393-critical-brute-force-vulnerability-in-drupal-mail-login\/\"  data-wpil-monitor-id=\"69396\">brute force<\/a> protection escalates the risk. An attacker with knowledge of a valid email address could systematically and successfully brute force the token, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-34509-hardcoded-user-account-in-sitecore-xm-and-xp-enabling-unauthenticated-remote-access\/\"  data-wpil-monitor-id=\"62814\">enabling them to take over the associated account<\/a>.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-1217410664\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>While the exact <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2022-46721-arbitrary-code-execution-vulnerability-in-macos\/\"  data-wpil-monitor-id=\"47747\">code to exploit the vulnerability<\/a> is beyond the scope of this article, a conceptual example would involve an iterative process of attempting to authenticate with all possible 6-digit codes. This could be presented in pseudocode as follows:<\/p>\n<pre><code class=\"\" data-line=\"\">for code in range(100000, 999999):\nresponse = requests.post(\n&quot;https:\/\/www.rallly.co\/api\/auth\/callback\/email&quot;,\ndata={&#039;email&#039;: &#039;target@example.com&#039;, &#039;token&#039;: str(code)}\n)\nif response.status_code == 200:\nprint(f&quot;Successful authentication with token: {code}&quot;)\nbreak<\/code><\/pre>\n<p>This <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-49526-out-of-bounds-write-vulnerability-in-illustrator-leading-to-arbitrary-code-execution\/\"  data-wpil-monitor-id=\"75234\">code fragment illustrates<\/a> the process of attempting authentication with all possible 6-digit codes. On a successful authentication, the process breaks and prints the successful token.<\/p>\n<p><strong>Mitigation<\/strong><\/p>\n<p>As of the time of publication, no patched versions are available. However, until a security patch is released by Rallly, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5485-a-critical-vulnerability-pertaining-to-user-name-enumeration-in-web-management-interfaces\/\"  data-wpil-monitor-id=\"62815\">users are advised to employ Web<\/a> Application Firewalls (WAF) or Intrusion Detection Systems (IDS) as temporary mitigation. These <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-34332-critical-vulnerability-in-ami-s-spx-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"47568\">systems can help detect and prevent potential<\/a> brute force attacks. Furthermore, it is recommended to use unique email addresses not publicly associated with users, reducing the chance for attackers to guess the email addresses used for registration on the application.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview We are shedding light on a critical security vulnerability, identified as CVE-2025-47781, that affects Rallly, an open-source scheduling and collaboration tool. This vulnerability has a significant impact on all users of the application, potentially leading to system compromise and data leakage. It lies within the application&#8217;s token-based authentication system, specifically in versions up to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-41434","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/41434","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=41434"}],"version-history":[{"count":11,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/41434\/revisions"}],"predecessor-version":[{"id":67823,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/41434\/revisions\/67823"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=41434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=41434"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=41434"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=41434"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=41434"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=41434"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=41434"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=41434"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=41434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}