‼️ Critical Security Issue: Update Rallly to v4.5.11 or Later Immediately

[lukevella]

A high‑severity security flaw has been discovered in a software component used by Rallly. On unpatched installations, this vulnerability could allow an attacker to execute code remotely on your server. If your instance is accessible from the internet and you are not running the latest release, your server is at significant risk.

This vulnerability, CVE-2025-55182 (also known as React2Shell), affects many applications built with React 19. There have already been reports of real-world breaches where attackers deployed malicious software on compromised servers.

Update 1: (12 December 2025): Two additional CVEs have been found which require a further patch.

Update 2: (12 December 2025): The React team announced that the previous patch they released was incomplete and published a new CVE.

Action required:

• Update Rallly to the latest version (v4.5.11 or later) immediately.
• Restart all services and, if using Docker, rebuild/pull the latest image.
• If you cannot update right away, temporarily restrict access (VPN/auth proxy) until patched.

After updating, verify your instance reports the latest Rallly version and review logs for any warnings. To check the version, visit: <your‑rallly‑instance>/api/status.

---

If you use Rallly’s hosted service, you do not need to take any action. Our servers were patched within hours of the CVE being announced, and there was no breach of our servers during that time.

This announcement is only relevant to self-hosted Rallly installations. If you manage your own Rallly instance, please update immediately as described above.