Indico Broken Object Level Authorization (BOLA) Vulnerability

漏洞信息

漏洞名称： Indico Broken Object Level Authorization (BOLA) Vulnerability

漏洞编号：

• CVE： CVE-2025-53640

漏洞类型： 权限绕过

漏洞等级： 高危

漏洞描述： Indico是由CERN（欧洲核研究组织）开发的一个广泛使用的事件管理平台，主要用于学术和机构活动的基础设施管理。该平台在全球范围内被多个知名机构采用，包括CERN、联合国、以及多所大学和研究机构，每年管理数十万事件和数百万参与者。由于其广泛的应用和重要性，Indico的安全问题可能对全球范围内的学术和政府机构造成严重影响。

该漏洞属于Broken Object Level Authorization (BOLA)类型，即对象级别授权破坏漏洞。具体来说，Indico的/api/principals端点原本设计用于在特定表单字段中解析用户ID，但由于缺乏严格的访问控制，攻击者可以通过该端点枚举任何有效用户ID的详细信息，包括全名、电子邮件地址、职称、所属机构和头像URL。这一漏洞的技术根源在于不当的输入验证和缺失的访问控制机制，使得未经授权的用户能够访问敏感信息。

该漏洞的影响极为严重，因为它可能导致个人数据（PII）的泄露，包括研究人员和管理员的身份信息，从而引发隐私泄露、钓鱼攻击和针对性攻击等安全风险。尽管需要有效的认证会话才能利用此漏洞，但由于大多数公共Indico实例允许自由注册且无需电子邮件验证或管理员批准，这使得漏洞实际上对公众开放。该漏洞已被Indico维护者确认，并在3.3.7版本中修复。修复措施包括限制/api/principals端点的访问权限，并引入新的配置设置ALLOW_PUBLIC_USER_SEARCH以允许管理员控制此行为。

产品厂商： CERN

产品名称： Indico

影响版本： version < 3.3.7

来源： https://github.com/rafaelcorvino1/CVE-2025-53640-Indico-User-Enumeration-via-api-principals-BOLA-

类型： CVE-2025:github search

仓库文件

• LICENSE
• README.md

来源概述

CVE-2025-53640 – BOLA Vulnerability in CERN’s Indico (User Enumeration via /api/principals)

PoC and technical analysis of CVE-2025-53640: a Broken Object Level Authorization (BOLA) vulnerability in Indico enables authenticated user enumeration via the /api/principals endpoint, exposing names, emails, and affiliations. Includes exploitation script (Python), request analysis, and screenshots. Affects globally deployed Indico instances (CERN, UN, research institutes).

Description

A Broken Object Level Authorization (BOLA) vulnerability in the open-source application Indico allows mass user enumeration through the /api/principals endpoint.

Originally intended to resolve user IDs in specific form fields, this endpoint can be misused to retrieve personal details of any valid user ID:

• Full name
• Email address
• Title
• Affiliation
• Avatar URL

The vulnerability was reported and acknowledged by Indico’s maintainers, and is now officially tracked as CVE-2025-53640.

Exploitation Requirements

• A valid authenticated session is required.
• However, most public Indico instances allow free self-registration with no email verification, CAPTCHA, or admin approval.
• This makes the vulnerability effectively publicly accessible.

Global Impact

Indico is a widely used event management platform originally developed by CERN (European Organization for Nuclear Research), and it powers academic and institutional event infrastructure globally:

• CERN (European Organization for Nuclear Research): over 900,000 events annually, with approximately 200 rooms scheduled per day.
• Global: around 145,000 events/year hosted using Indico across more than 300 institutions.
• UN (United Nations): over 180,000 participants/year managed through Indico.
• UNOG (United Nations Office at Geneva): up to 700,000 users/year rely on the platform.
• Used by universities, laboratories, research institutes, and government organizations across all continents.

Indico is publicly deployed by institutions such as:

• https://indico.cern.ch
• https://indico.esa.int
• https://indico.mit.edu
• https://indico.un.org
• https://indico.rnp.br

Due to its adoption in scientific, academic, and governmental environments, this vulnerability poses serious risks:

• Disclosure of researcher and admin identities
• Privacy breaches on a global scale
• Platform-wide user reconnaissance for phishing
• Potential for targeted attacks in sensitive projects (e.g., particle physics, policy events)

Impact

• Disclosure of personal data (PII)
• Enumeration of privileged accounts (e.g., administrators)
• Enables targeted phishing and spear-phishing campaigns
• Violates privacy regulations such as GDPR and LGPD
• Facilitates large-scale harvesting of institutional directories

Patch

This issue was fixed in Indico version 3.3.7.

According to the official release notes, the patch prevents dumping of basic user details (name, affiliation, and email) in bulk using the user ID.

According to the maintainers, looking up individual users is expected behavior in academic environments, but the ability to enumerate all users in bulk was unintended and is now mitigated.

The maintainers introduced the new config setting ALLOW_PUBLIC_USER_SEARCH to give admins control over this behavior.

Further mitigations were implemented:

• Limit registration email check endpoint
• Disable person link resolution in some forms when search is restricted
• Add warnings when unlisted events lack ACLs under restricted search conditions

Proof of Concept (PoC)

Waiting time for updates

Mitigation Tips

• Restrict the /api/principals endpoint to authorized roles only
• Avoid exposing full user details; limit fields to what is strictly necessary
• Consider setting ALLOW_PUBLIC_USER_SEARCH = false in indico.conf
• Disable or restrict open registration to verified users only
• Enable rate-limiting and monitoring
• Upgrade to Indico 3.3.7 or later
• Monitor /api/principals access patterns for abuse

CVE

Official ID: CVE-2025-53640

Disclosure

This vulnerability was discovered during a security assessment performed as part of the Red Team Residency Program at RNP (Rede Nacional de Ensino e Pesquisa – Brazil).

Research and testing were conducted under formal authorization and coordination from RNP. Special thanks to the RNP Security Team for providing the infrastructure, methodology, and ethical oversight.

This CVE demonstrates the importance of enforcing strict object-level access control, especially in platforms managing sensitive institutional data.

References

• GitHub Security Advisory – GHSA-q28v-664f-q6wj
• Indico Commit f858355
• NVD Record
• CVE.org Registry
• Indico Config: ALLOW_PUBLIC_USER_SEARCH
• Indico Upgrade Guide
• Release v3.3.7