Critical authentication bypass flaw enables takeover of Milvus Vector Database
Take action: If you're running Milvus vector database, immediately upgrade to the patched version (2.4.24+, 2.5.21+, or 2.6.5+ depending on your branch). There's a flaw which allows attackers to send packets with crafted headers claiming they are authenticated. If you can't patch right away, temporarily block the "sourceId" HTTP header at your gateway or load balancer level. Prioritize the upgrade as filtering the header is a temporary fix.
Learn More
Milvus, an open-source vector database platform that powers generative AI applications and large-scale search systems, is reporting a critical authentication bypass vulnerability in its Proxy component.
The flaw is tracked as CVE-2025-64513 (CVSS score 9.8), allows attackers to circumvent all authentication mechanisms and gain full administrative access to Milvus clusters. The vulnerability is caused by a flawed implementation. Instead of following standard authentication protocols requiring username/password combinations or API keys, the vulnerable code trusts a user-controlled HTTP header called "sourceId." The authentication mechanism base64-decodes this header value and compares it against a hardcoded constant ("@@milvus-member@@").
By forging the sourceId header with the encoded constant, attackers can bypass all authorization checks, causing requests to be treated as originating from trusted internal components. The attacker is granted unrestricted administrative privileges, enabling them to query vectors, insert or delete data, modify database configurations, create or delete collections, and perform any privileged administrative operation available in the Milvus cluster.
Security researchers have noted that over 6,000 potentially vulnerable Milvus instances are exposed on the internet. Organizations are strongly urged to upgrade immediately to the patched releases:
- Milvus 2.4.24 or later for the 2.4 branch,
- Milvus 2.5.21 or later for the 2.5 branch,
- Milvus 2.6.5 or later for the 2.6 branch.
For organizations where immediate patching is not feasible, administrators can implement network-level filtering to remove the sourceId header from all incoming requests at the gateway, API gateway, or load balancer level before they reach the Milvus Proxy. This mitigation prevents attackers from exploiting the authentication bypass behavior until a permanent upgrade can be deployed.
This is only a stopgap measure, and organizations should prioritize upgrading to patched versions as soon as possible.
