CVE-2025-59034: 
Python vulnerability analysis and mitigation

Indico, an event management system utilizing Flask-Multipass for authentication, was found to contain a security vulnerability (CVE-2025-59034) prior to version 3.3.8. The vulnerability was disclosed on September 10, 2025, affecting all versions up to 3.3.7. The issue involves a legacy API that could be exploited to access profile details of other users without proper administrative permissions (GitHub Advisory).

The vulnerability stems from a broken access check in a legacy API endpoint designed for retrieving user details. It has been assigned a CVSS v3.1 base score of 4.3 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability requires network access, has low attack complexity, requires low privileges, needs no user interaction, has unchanged scope, and can impact confidentiality but not integrity or availability. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (GitHub Advisory, NVD).

The vulnerability allows authenticated users to access profile details of other users within the system without having the required administrative permissions. This unauthorized access to user information represents a privacy concern and potential data breach risk (GitHub Advisory).

The primary mitigation is to upgrade to Indico version 3.3.8 which contains the security fix. As a temporary workaround, administrators can restrict access to the affected API through webserver configuration. The workaround is considered safe as the legacy API is likely unused in most deployments (GitHub Release, GitHub Advisory).