CVE-2025-64513

Name of the Vulnerable Software and Affected Versions Milvus versions prior to 2.4.24 Milvus versions 2.5.0 through 2.5.20 Milvus versions 2.6.0 through 2.6.4

Description An unauthenticated attacker can bypass authentication mechanisms in the Milvus Proxy component, gaining full administrative access to the Milvus cluster. This allows the attacker to read, modify, or delete data, and perform administrative operations like database or collection management. The root cause is that setting the sourceid metadata to Base64("@@milvus-member@@") circumvents authentication checks. Approximately 6,000 systems are potentially affected.

Recommendations Upgrade to Milvus version 2.4.24 or later. Upgrade to Milvus version 2.5.21 or later. Upgrade to Milvus version 2.6.5 or later. As a temporary mitigation, remove the sourceID header from all incoming requests at the gateway, API gateway, or load balancer before they reach the Milvus Proxy.