CVE-2025-64513
BaseFortify
Publication date: 2025-11-10
Last updated on: 2025-11-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| milvus | milvus | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Milvus, an open-source vector database, allows an unauthenticated attacker to bypass all authentication mechanisms in the Milvus Proxy component in versions prior to 2.4.24, 2.5.21, and 2.6.5. By exploiting this, the attacker gains full administrative access to the Milvus cluster, enabling them to read, modify, or delete data and perform privileged administrative operations such as managing databases or collections.
How can this vulnerability impact me? :
The impact of this vulnerability is severe as it grants an attacker full administrative access to the Milvus cluster without authentication. This means the attacker can read sensitive data, alter or delete data, and perform administrative tasks that could disrupt operations, compromise data integrity, and lead to data loss or unauthorized data exposure.
What immediate steps should I take to mitigate this vulnerability?
If immediate upgrade to Milvus versions 2.4.24, 2.5.21, or 2.6.5 is not possible, apply a temporary mitigation by removing the sourceID header from all incoming requests at the gateway, API gateway, or load balancer level before they reach the Milvus Proxy. This prevents attackers from exploiting the authentication bypass vulnerability.