CVE-2025-53640: 
Python vulnerability analysis and mitigation

Indico, an event management system that uses Flask-Multipass for authentication, contains a vulnerability (CVE-2025-53640) discovered in July 2025. The vulnerability affects versions 2.2 through 3.3.6, where an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (name, affiliation and email) in bulk (GitHub Advisory).

The vulnerability has been assigned a CVSS v4.0 base score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. The issue stems from missing authorization checks that allow authenticated users to abuse an API endpoint intended for displaying user details in specific fields to instead dump user information in bulk (GitHub Advisory).

When exploited, this vulnerability allows authenticated attackers to obtain basic user details including names, affiliations, and email addresses in bulk. While individual user lookups are considered normal functionality for academic events, the ability to harvest all user information at once is unintended behavior (GitHub Release).

The vulnerability is fixed in Indico version 3.3.7. While it is possible to restrict access to the affected endpoints in the webserver configuration as a workaround, this is not recommended as it would break certain form fields that need to display user details. The recommended action is to upgrade to version 3.3.7. Additionally, instances that allow public user account creation can further restrict access by setting ALLOW_PUBLIC_USER_SEARCH to False in the configuration (GitHub Advisory, Indico Docs).

The vulnerability was identified during a security assessment conducted as part of the Red Team Residency Program at RNP (Rede Nacional de Ensino e Pesquisa). The Indico team classified this as a moderate severity issue, noting that some level of user information exposure is expected behavior in academic event management contexts (GitHub Advisory).