Indico Broken Object Level Authorization (BOLA) Vulnerability

漏洞信息

漏洞名称： Indico Broken Object Level Authorization (BOLA) Vulnerability

漏洞编号：

• CVE： CVE-2025-53640

漏洞类型： 权限绕过

漏洞等级： 高危

漏洞描述： Indico是由欧洲核子研究组织（CERN）开发的一个开源事件和会议管理平台，广泛应用于全球的学术和机构基础设施中，包括联合国、麻省理工学院、欧洲空间局等知名机构。该平台每年处理大量的事件和参与者，是科学、学术和政府环境中不可或缺的工具。

该漏洞属于Broken Object Level Authorization（BOLA）类型，即对象级别授权破坏漏洞。具体来说，Indico的/api/principals端点原本设计用于在特定表单字段中解析用户ID，但由于缺乏严格的访问控制，攻击者可以通过该端点枚举任何有效用户ID的详细信息，包括全名、电子邮件地址、职称、所属机构和头像URL等。这一漏洞的技术根源在于端点未能正确验证请求者的权限，导致未授权的数据访问。

此漏洞的影响极为严重，因为它允许攻击者获取大量用户的个人信息，包括高权限用户（如管理员和组织者）的数据。这不仅会导致个人隐私数据的泄露，还可能被用于大规模的钓鱼或社会工程攻击，甚至可能影响到敏感研究和政策倡议的安全。尽管利用此漏洞需要有效的认证会话，但由于大多数公共Indico实例允许无需电子邮件验证、CAPTCHA或手动批准的自我注册，这使得漏洞实际上可以被未经认证的用户利用。该漏洞已被官方修复，建议所有用户升级至Indico v3.3.7或更高版本以防范潜在风险。

产品厂商： CERN

产品名称： Indico

影响版本： version <= 3.3.6

来源： https://github.com/rafaelcorvino1/CVE-2025-53640

类型： CVE-2025:github search

仓库文件

• LICENSE
• README.md

来源概述

CVE-2025-53640 – Authenticated User Enumeration via /api/principals in CERN’s Indico (BOLA Vulnerability)

PoC and technical analysis of CVE-2025-53640: a Broken Object Level Authorization (BOLA) vulnerability in Indico enables authenticated user enumeration via the /api/principals endpoint, exposing names, emails, and affiliations. Includes exploitation script (Python), request analysis, and screenshots. Affects globally deployed Indico instances (European Organization for Nuclear Research (CERN), United Nations (UN), Massachusetts Institute of Technology (MIT), European Space Agency (ESA), among others).

Description

A Broken Object Level Authorization (BOLA) vulnerability in the open-source application Indico allows mass user enumeration through the /api/principals endpoint.

Originally intended to resolve user IDs in specific form fields, this endpoint can be misused to retrieve personal details of any valid user ID:

• Full name

• Email address

• Title

• Affiliation

• Avatar URL

The vulnerability was reported and acknowledged by Indico’s maintainers, and is officially tracked as CVE-2025-53640.

Exploitation Requirements

• A valid authenticated session is required.

• However, most public Indico instances allow self-registration with no email verification, CAPTCHA, or manual approval.

• This makes the vulnerability practically exploitable by unauthenticated users after trivial account creation.

Global Impact

Indico is a widely adopted event and conference management platform developed by CERN (European Organization for Nuclear Research), powering academic and institutional infrastructure globally:

• CERN (European Organization for Nuclear Research): Over 900,000 events annually; 200+ rooms booked daily.

• Worldwide: Around 145,000 events/year across 300+ institutions.

• UN (United Nations): Over 180,000 participants/year.

• UNOG (United Nations Office at Geneva): Up to 700,000 users/year.

• Extensively used by universities, laboratories, research institutes, and government agencies.

Examples of affected public instances:

• https://indico.cern.ch

• https://indico.esa.int

• https://indico.mit.edu

• https://indico.un.org

Due to its widespread adoption in scientific, academic, and governmental environments, this vulnerability poses serious risks:

• Identity leakage of researchers, staff, and administrators

• Large-scale privacy breaches and institutional directory exposure

• Targeted reconnaissance for phishing or social engineering

• Potential compromise of sensitive research and policy initiatives

Impact

• Disclosure of personal data (PII)

• Enumeration of high-privilege users (admins, organizers)

• Supports mass phishing and spear-phishing operations

• Violates regulations such as GDPR, LGPD, and internal institutional policies

• May constitute a reportable breach depending on jurisdiction

Patch

The issue was fixed in Indico v3.3.7.

According to the maintainers, the endpoint’s behavior was adjusted to prevent dumping of user data (name, affiliation, and email) in bulk via predictable IDs. A new configuration flag ALLOW_PUBLIC_USER_SEARCH was also introduced.

Additional mitigations include:

• Restricting registration email checks

• Disabling person link resolution when public search is disabled

• Adding UI warnings for events with no ACL under restricted search

Proof of Concept (PoC)

Exploit

PoC script to be published after responsible disclosure timeline.

Mitigation Tips

• Restrict access to /api/principals endpoint based on role or context

• Set ALLOW_PUBLIC_USER_SEARCH = false in indico.conf

• Limit exposed user fields to only what’s necessary

• Disable or restrict self-registration (e.g., email verification, admin approval)

• Enable monitoring and rate-limiting on the endpoint

• Upgrade to Indico 3.3.7 or newer immediately

• Monitor access logs for enumeration patterns

CVE

Official ID: CVE-2025-53640

Disclosure

This vulnerability was discovered during a security assessment conducted as part of the Red Team Residency Program at RNP (Rede Nacional de Ensino e Pesquisa – Brazil).

All research and testing were performed with prior authorization and oversight. Special thanks to the RNP Security Team for providing ethical guidance and infrastructure support.

This CVE underscores the importance of enforcing strict object-level access control in platforms that manage sensitive institutional data.

References

• GitHub Security Advisory – GHSA-q28v-664f-q6wj

• Indico Commit f858355

• NVD Record

• CVE.org Registry

• Indico Config: ALLOW_PUBLIC_USER_SEARCH

• Indico Upgrade Guide

• Release Notes – v3.3.7