CVE-2025-53640: 
Python vulnerability analysis and mitigation

Indico, an event management system that uses Flask-Multipass (a multi-backend authentication system for Flask), was found to contain a vulnerability (CVE-2025-53640) affecting versions 2.2 through 3.3.6. The vulnerability was discovered and disclosed on July 14, 2025, where an endpoint used to display details of users listed in certain fields could be misused to dump basic user details such as name, affiliation, and email in bulk (GitHub Advisory).

The vulnerability has been assigned a CVSS v4.0 score of 5.3 (Medium) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. The issue is classified under multiple CWE categories including CWE-200 (Exposure of Sensitive Information), CWE-639 (Authorization Bypass Through User-Controlled Key), and CWE-862 (Missing Authorization) (GitHub Advisory).

The vulnerability allows attackers to access and collect basic user information (name, affiliation, and email) in bulk from the system. While this is considered a moderate severity issue due to Indico's primary use in academic events where some user information is expected to be accessible, the ability to collect this information in bulk was not intended behavior (GitHub Release).

The vulnerability has been fixed in Indico version 3.3.7. Users are strongly recommended to upgrade to this version. For instances that allow everyone to create user accounts and wish to restrict access to user details, administrators can consider restricting user search to managers using the newly introduced ALLOWPUBLICUSERSEARCH setting in indico.conf. While it is possible to restrict access to the affected endpoints in the webserver config as a workaround, this is not recommended as it would break certain form fields that need to display user details (GitHub Advisory, [Indico Docs](https://docs.getindico.io/en/stable/config/settings/#ALLOWPUBLICUSERSEARCH)).