Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-64513
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-10 Nov, 2025 | 22:05
Updated At-12 Nov, 2025 | 20:13
Rejected At-
▼CVE Numbering Authority (CNA)
Milvus Proxy has Critical Authentication Bypass Vulnerability

Milvus is an open-source vector database built for generative AI applications. An unauthenticated attacker can exploit a vulnerability in versions prior to 2.4.24, 2.5.21, and 2.6.5 to bypass all authentication mechanisms in the Milvus Proxy component, gaining full administrative access to the Milvus cluster. This grants the attacker the ability to read, modify, or delete data, and to perform privileged administrative operations such as database or collection management. This issue has been fixed in Milvus 2.4.24, 2.5.21, and 2.6.5. If immediate upgrade is not possible, a temporary mitigation can be applied by removing the sourceID header from all incoming requests at the gateway, API gateway, or load balancer level before they reach the Milvus Proxy. This prevents attackers from exploiting the authentication bypass behavior.

Affected Products
Vendor
milvus-io
Product
milvus
Versions
Affected
  • < 2.4.24
  • >= 2.5.0, < 2.5.21
  • >= 2.6.0, < 2.6.5
Problem Types
TypeCWE IDDescription
CWECWE-287CWE-287: Improper Authentication
Type: CWE
CWE ID: CWE-287
Description: CWE-287: Improper Authentication
Metrics
VersionBase scoreBase severityVector
4.09.3CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/milvus-io/milvus/security/advisories/GHSA-mhjq-8c7m-3f7p
x_refsource_CONFIRM
https://github.com/milvus-io/milvus/pull/45379
x_refsource_MISC
https://github.com/milvus-io/milvus/pull/45383
x_refsource_MISC
https://github.com/milvus-io/milvus/pull/45391
x_refsource_MISC
Hyperlink: https://github.com/milvus-io/milvus/security/advisories/GHSA-mhjq-8c7m-3f7p
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/milvus-io/milvus/pull/45379
Resource:
x_refsource_MISC
Hyperlink: https://github.com/milvus-io/milvus/pull/45383
Resource:
x_refsource_MISC
Hyperlink: https://github.com/milvus-io/milvus/pull/45391
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found