A critical authentication bypass vulnerability in the Milvus vector database could allow attackers to gain administrative access without credentials.
The flaw exists in how the Milvus Proxy component handles HTTP headers, treating user-controlled data as trusted internal credentials.
Critical Security Risk in Vector Database
Milvus, an open-source vector database widely used for generative AI applications, contains a dangerous design flaw in its authentication mechanism.
The vulnerability, tracked as CVE-2025-64513, enables attackers to bypass all authorization checks by forging a single HTTP header.
| Property | Details |
|---|---|
| Vulnerability Type | Authentication Bypass / Header Forgery |
| Affected Product | Milvus Vector Database |
| Affected Versions | 2.4.0–2.4.24, 2.5.0–2.5.21, 2.6.0–2.6.5 |
| CVSS Score | 9.8 (Critical) |
| CVE | CVE-2025-64513 |
This means an attacker can access sensitive database operations, including listing databases, modifying data, and executing administrative commands, all without providing a username, password, or API key.
The root cause lies in how the Proxy component validates requests from internal system components.
Instead of using secure credentials, the system relies on a base64-encoded header value that can be easily forged by any attacker with network access to the Milvus instance.
The vulnerability exploits a flaw in the Proxy’s authentication interceptor. When a request arrives with a source ID header, the system base64-decodes the value and compares it to a hardcoded constant: @@milvus-member@@.
If the values match, the system assumes the request comes from an internal component and completely bypasses standard authentication checks.
An attacker can exploit this by simply base64-encoding the hardcoded constant and adding it as a request header.
Once bypassed, the attacker gains full administrative access to the Milvus database, including the ability to query sensitive data, create or delete databases, and perform other privileged operations.
Multiple Milvus versions are vulnerable to this flaw:
- Milvus 2.4.0 through 2.4.24
- Milvus 2.5.0 through 2.5.21
- Milvus 2.6.0 through 2.6.5
Organizations running these versions should prioritize immediate patching or implement network-level access controls as a temporary mitigation.
Security researchers have documented a working proof-of-concept demonstrating the bypass.
The PoC connects to a Milvus Proxy and first attempts an unauthenticated request, which fails as expected.
However, when the forged sourceId header is added, the exact requests succeed, returning sensitive information such as database names and system health status.
The vulnerable code shows that the validation function performs only a simple base64 decode and string comparison.
This trust-based approach assumes that only internal components would know the constant value, a dangerous assumption in real-world deployments.
Users should update to patched versions that implement proper authentication for all requests.
The fix removes the flawed trust-based logic, ensuring that all requests, regardless of headers, must pass through standard authentication channels.
This eliminates the possibility of bypassing security through header manipulation.
For organizations unable to patch immediately, implementing strict network segmentation and rate limiting on Milvus endpoints can reduce exposure.
However, these measures are not substitutes for applying the official security update.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.