CVE-2025-64513
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-10

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
Milvus is an open-source vector database built for generative AI applications. An unauthenticated attacker can exploit a vulnerability in versions prior to 2.4.24, 2.5.21, and 2.6.5 to bypass all authentication mechanisms in the Milvus Proxy component, gaining full administrative access to the Milvus cluster. This grants the attacker the ability to read, modify, or delete data, and to perform privileged administrative operations such as database or collection management. This issue has been fixed in Milvus 2.4.24, 2.5.21, and 2.6.5. If immediate upgrade is not possible, a temporary mitigation can be applied by removing the sourceID header from all incoming requests at the gateway, API gateway, or load balancer level before they reach the Milvus Proxy. This prevents attackers from exploiting the authentication bypass behavior.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-10
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64513
EUVD
EUVD-2025-50814
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
milvus milvus *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Milvus, an open-source vector database, allows an unauthenticated attacker to bypass all authentication mechanisms in the Milvus Proxy component in versions prior to 2.4.24, 2.5.21, and 2.6.5. By exploiting this, the attacker gains full administrative access to the Milvus cluster, enabling them to read, modify, or delete data and perform privileged administrative operations such as managing databases or collections.

Impact Analysis

The impact of this vulnerability is severe as it grants an attacker full administrative access to the Milvus cluster without authentication. This means the attacker can read sensitive data, alter or delete data, and perform administrative tasks that could disrupt operations, compromise data integrity, and lead to data loss or unauthorized data exposure.

Mitigation Strategies

If immediate upgrade to Milvus versions 2.4.24, 2.5.21, or 2.6.5 is not possible, apply a temporary mitigation by removing the sourceID header from all incoming requests at the gateway, API gateway, or load balancer level before they reach the Milvus Proxy. This prevents attackers from exploiting the authentication bypass vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64513. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart