Milvus is an open-source vector database designed to support generative AI workloads by efficiently managing and querying high-dimensional vector data. The vulnerability identified as CVE-2025-64513 affects the Milvus Proxy component, which acts as an intermediary managing client requests and enforcing authentication. The flaw is an improper authentication vulnerability (CWE-287) that allows an unauthenticated attacker to bypass all authentication controls in the proxy. This bypass is triggered by the presence of a crafted sourceID header in incoming requests, which the proxy incorrectly trusts to authenticate the client. By exploiting this, attackers gain full administrative privileges over the Milvus cluster, enabling them to read sensitive vector data, alter or delete datasets, and perform administrative tasks such as creating or deleting databases and collections. The vulnerability affects Milvus versions prior to 2.4.24, versions from 2.5.0 up to but not including 2.5.21, and versions from 2.6.0 up to but not including 2.6.5. The vendor has released patches in versions 2.4.24, 2.5.21, and 2.6.5 to address this issue by correcting the authentication logic. Until systems can be upgraded, a recommended temporary mitigation is to remove the sourceID header from all incoming requests at the gateway, API gateway, or load balancer level, preventing the proxy from receiving the malicious header and thus blocking the bypass. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical nature due to network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability of the system. No known exploits have been reported in the wild as of the publication date.

For European organizations leveraging Milvus for AI and vector data management, this vulnerability poses a severe risk. An attacker exploiting this flaw can gain unrestricted administrative access to Milvus clusters, potentially exposing sensitive AI model data, intellectual property, or personal data stored within vector embeddings. This can lead to data breaches, data tampering, or complete loss of data integrity and availability, severely disrupting AI-driven services and analytics. Organizations in sectors such as finance, healthcare, telecommunications, and research institutions that utilize Milvus for advanced AI workloads are particularly at risk. The ability to modify or delete data and perform administrative operations can also facilitate further lateral movement or persistence within the network. Given the criticality and ease of exploitation (no authentication or user interaction required), the vulnerability could be leveraged in targeted attacks or automated scanning campaigns. The impact extends beyond data loss to reputational damage, regulatory non-compliance (e.g., GDPR), and operational downtime.

1. Immediate upgrade to Milvus versions 2.4.24, 2.5.21, or 2.6.5 or later to apply the official patch that fixes the authentication bypass. 2. If upgrading is not immediately feasible, implement a temporary mitigation by configuring the gateway, API gateway, or load balancer to strip the sourceID header from all incoming requests before they reach the Milvus Proxy component. This prevents the proxy from processing the malicious header used to bypass authentication. 3. Restrict network access to the Milvus Proxy component by enforcing strict firewall rules and network segmentation to limit exposure to untrusted networks. 4. Monitor logs and network traffic for unusual or unauthorized access attempts, especially requests containing suspicious headers or originating from unknown sources. 5. Employ intrusion detection systems (IDS) or endpoint detection and response (EDR) tools to detect potential exploitation attempts. 6. Review and audit Milvus cluster permissions and access controls regularly to ensure no unauthorized changes have occurred. 7. Educate DevOps and security teams about this vulnerability and ensure timely patch management processes are in place for critical infrastructure components.