CVE-2025-53640: Indico vulnerability allows attackers to bulk dump user details
(updated )
An endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk.
References
- docs.getindico.io/en/stable/config/settings/
- docs.getindico.io/en/stable/installation/upgrade
- github.com/advisories/GHSA-q28v-664f-q6wj
- github.com/indico/indico
- github.com/indico/indico/pull/6936/commits/f8583557a3da56aeea8857ae69bf17c9066c95c1
- github.com/indico/indico/releases/tag/v3.3.7
- github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj
- nvd.nist.gov/vuln/detail/CVE-2025-53640
- www.vicarius.io/vsociety/posts/cve202553640-detect-indico-vulnerability
- www.vicarius.io/vsociety/posts/cve202553640-mitigate-indico-vulnerability
Code Behaviors & Features
Detect and mitigate CVE-2025-53640 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →