CVE-2025-59034

Description

### Impact A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. ### Patches You should to update to [Indico 3.3.8](https://github.com/indico/indico/releases/tag/v3.3.8) as soon as possible. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update. ### Workarounds It is possible to restrict access to the affected API (e.g. in the webserver config) which is most likely unused anyway and thus will not break anything. ### For more information If you have any questions or comments about this advisory: - Open a thread in [our forum](https://talk.getindico.io/) - Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)

How to fix CVE-2025-59034

To remediate CVE-2025-59034, upgrade the affected package to a fixed version below.

• —upgrade to 3.3.8 or later

Is CVE-2025-59034 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 3.3.8

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-59034
• PATCHgithub.com/indico/indico
• WEBgithub.com/indico/indico/releases/tag/v3.3.8
• WEBgithub.com/indico/indico/security/advisories/GHSA-4269-mcfh-cp7q