{"id":41434,"date":"2025-05-20T23:51:33","date_gmt":"2025-05-20T23:51:33","guid":{"rendered":""},"modified":"2025-08-30T04:39:02","modified_gmt":"2025-08-30T10:39:02","slug":"cve-2025-47781-critical-vulnerability-in-rallly-s-token-based-authentication-system","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-47781-critical-vulnerability-in-rallly-s-token-based-authentication-system\/","title":{"rendered":"<strong>CVE-2025-47781: Critical Vulnerability in Rallly&#8217;s Token-Based Authentication System<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>We are shedding light on a critical security vulnerability, identified as CVE-2025-47781, that affects Rallly, an open-source scheduling and collaboration tool. This vulnerability has a significant impact on all users of the application, potentially leading to system compromise and data leakage. It lies within the application&#8217;s token-based <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-46584-improper-authentication-logic-vulnerability-in-file-system-module\/\"  data-wpil-monitor-id=\"57968\">authentication system<\/a>, specifically in versions up to and including 3.22.1. The primary concern arises from the weak entropy of the 6-digit authentication token and absence of brute force protection, permitting unauthorized <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-46739-unauthenticated-brute-force-attack-leads-to-account-compromise\/\"  data-wpil-monitor-id=\"46391\">attackers to gain access to user accounts<\/a>. This blog post aims to provide an <a href=\"https:\/\/www.ameeba.com\/blog\/the-expanding-landscape-of-cybersecurity-an-in-depth-analysis-of-the-global-report-2032\/\"  data-wpil-monitor-id=\"47569\">in-depth analysis<\/a> of the vulnerability, its potential impact, and recommended mitigation strategies.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-47781<br \/>\nSeverity: Critical (9.8)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-42977-path-handling-vulnerability-that-risks-data-leakage-and-system-compromise\/\"  data-wpil-monitor-id=\"56975\">System compromise or data leakage<\/a><\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-622507326\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>Rallly | Up to and including 3.22.1<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-36546-ssh-key-based-authentication-vulnerability-in-f5os-systems\/\"  data-wpil-monitor-id=\"46385\">vulnerability lies in the token-based authentication<\/a> system of the Rallly application. Upon login, users insert their email, and a 6-digit code is sent to their email address to complete the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-52921-critical-vulnerability-in-innoshop-allows-code-execution-by-authenticated-attackers\/\"  data-wpil-monitor-id=\"63497\">authentication<\/a>. This token, due to its low entropy, can be easily <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-48187-ragflow-account-takeover-due-to-brute-force-attack-vulnerability\/\"  data-wpil-monitor-id=\"51216\">brute-forced by an attacker<\/a> within the token&#8217;s expiration time of 15 minutes. Moreover, the absence of <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-7393-critical-brute-force-vulnerability-in-drupal-mail-login\/\"  data-wpil-monitor-id=\"69396\">brute force<\/a> protection escalates the risk. An attacker with knowledge of a valid email address could systematically and successfully brute force the token, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-34509-hardcoded-user-account-in-sitecore-xm-and-xp-enabling-unauthenticated-remote-access\/\"  data-wpil-monitor-id=\"62814\">enabling them to take over the associated account<\/a>.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-1937096708\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>While the exact <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2022-46721-arbitrary-code-execution-vulnerability-in-macos\/\"  data-wpil-monitor-id=\"47747\">code to exploit the vulnerability<\/a> is beyond the scope of this article, a conceptual example would involve an iterative process of attempting to authenticate with all possible 6-digit codes. This could be presented in pseudocode as follows:<\/p>\n<pre><code class=\"\" data-line=\"\">for code in range(100000, 999999):\nresponse = requests.post(\n&quot;https:\/\/www.rallly.co\/api\/auth\/callback\/email&quot;,\ndata={&#039;email&#039;: &#039;target@example.com&#039;, &#039;token&#039;: str(code)}\n)\nif response.status_code == 200:\nprint(f&quot;Successful authentication with token: {code}&quot;)\nbreak<\/code><\/pre>\n<p>This <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-49526-out-of-bounds-write-vulnerability-in-illustrator-leading-to-arbitrary-code-execution\/\"  data-wpil-monitor-id=\"75234\">code fragment illustrates<\/a> the process of attempting authentication with all possible 6-digit codes. On a successful authentication, the process breaks and prints the successful token.<\/p>\n<p><strong>Mitigation<\/strong><\/p>\n<p>As of the time of publication, no patched versions are available. However, until a security patch is released by Rallly, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5485-a-critical-vulnerability-pertaining-to-user-name-enumeration-in-web-management-interfaces\/\"  data-wpil-monitor-id=\"62815\">users are advised to employ Web<\/a> Application Firewalls (WAF) or Intrusion Detection Systems (IDS) as temporary mitigation. These <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-34332-critical-vulnerability-in-ami-s-spx-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"47568\">systems can help detect and prevent potential<\/a> brute force attacks. Furthermore, it is recommended to use unique email addresses not publicly associated with users, reducing the chance for attackers to guess the email addresses used for registration on the application.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview We are shedding light on a critical security vulnerability, identified as CVE-2025-47781, that affects Rallly, an open-source scheduling and collaboration tool. This vulnerability has a significant impact on all users of the application, potentially leading to system compromise and data leakage. It lies within the application&#8217;s token-based authentication system, specifically in versions up to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-41434","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/41434","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=41434"}],"version-history":[{"count":11,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/41434\/revisions"}],"predecessor-version":[{"id":67823,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/41434\/revisions\/67823"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=41434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=41434"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=41434"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=41434"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=41434"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=41434"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=41434"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=41434"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=41434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}