Auth bypass in Milvus-io Milvus
CVE-2025-64513
Milvus is an open-source vector database built for generative AI applications. An unauthenticated attacker can exploit a vulnerability in versions prior to 2.4.24, 2.5.21, and 2.6.5 to bypass all authentication mechanisms in the Milvus Pro…
Vulnerability class: Broken Authentication
EPSS: 0.002 (35.9th percentile) — read the EPSS interpretation.
Affected products
- Milvus-io Milvus — versions < 2.4.24, >= 2.5.0, < 2.5.21, >= 2.6.0, < 2.6.5
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/milvus-io/milvus/security/advisories/GHSA-mhjq-8c7m-3f7p (x_refsource_CONFIRM)
- https://github.com/milvus-io/milvus/pull/45379 (x_refsource_MISC)
- https://github.com/milvus-io/milvus/pull/45383 (x_refsource_MISC)
- https://github.com/milvus-io/milvus/pull/45391 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2025-64513?
- CVE-2025-64513 is a vulnerability in Milvus-io Milvus, classified under Improper Authentication. Published 2025-11-10.
- Is CVE-2025-64513 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.