CVE-2025-15453 identifies a deserialization vulnerability in Milvus, an open-source vector database widely used for AI and similarity search applications. The flaw exists in the expr.Exec function within the pkg/util/expr/expr.go file, part of the HTTP endpoint component. The vulnerability is triggered by manipulation of the 'code' argument, which is deserialized unsafely, allowing remote attackers to execute crafted payloads. This can lead to unauthorized code execution or other malicious behavior. The vulnerability requires no user interaction and no authentication, making it remotely exploitable over the network with low complexity. The CVSS 4.0 score is 5.3 (medium), reflecting limited but meaningful impact on confidentiality, integrity, and availability. The vulnerability affects all Milvus versions from 2.6.0 through 2.6.7. Although no exploits are currently observed in the wild, the public disclosure increases the likelihood of exploitation attempts. A patch is planned for version 2.6.8, but until then, systems remain vulnerable. The vulnerability stems from insecure deserialization, a common vector for remote code execution and system compromise in modern applications.

The vulnerability could allow remote attackers to execute arbitrary code or manipulate data within Milvus instances, potentially leading to partial compromise of confidentiality, integrity, and availability of the vector database service. This could disrupt AI workloads, degrade service reliability, or expose sensitive data processed by Milvus. Organizations relying on Milvus for critical AI, search, or data analytics functions may experience operational disruptions or data breaches. Since the vulnerability requires no authentication or user interaction, attackers can exploit it remotely with relative ease, increasing the risk of widespread attacks. However, the impact is somewhat limited by the scope of affected components and the medium severity rating. Still, unpatched systems in production environments represent a significant risk, especially where Milvus is integrated into larger data pipelines or exposed to untrusted networks.

1. Apply the official patch as soon as Milvus version 2.6.8 is released to remediate the vulnerability. 2. Until patching is possible, restrict network access to Milvus HTTP endpoints to trusted internal networks only, using firewalls or network segmentation. 3. Implement strict input validation and sanitization on all inputs to the expr.Exec function or any interfaces accepting 'code' arguments to prevent malicious payloads. 4. Monitor logs and network traffic for unusual or unexpected requests targeting the expr.Exec endpoint. 5. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block deserialization attack patterns. 6. Conduct regular security assessments and code reviews focusing on deserialization and input handling in Milvus deployments. 7. Educate DevOps and security teams about the risks of insecure deserialization and the importance of timely patching. 8. Consider isolating Milvus instances in containerized or sandboxed environments to limit potential damage from exploitation.