Milvus Proxy Vulnerability Enables Forged Headers and Full Authorization Circumvention

A critical authentication bypass flaw in Milvus Proxy (CVE-2025-64513) allows attackers to bypass all security checks.

Discovered by the HelixGuard Team on November 12, 2025, this issue affects popular versions of Milvus, an open-source vector database designed for AI workloads, including generative models.

Attackers forge a user-controlled HTTP header called sourceId with a base64-encoded value of @@milvus-member@@.

This tricks the proxy into treating the request as coming from an internal trusted component, granting full administrative access without any username, password, or API key.

Milvus developers fixed the problem in a recent commit by removing this flawed trust logic. Now, every request must be properly authenticated.

Users running vulnerable setups face high risks, especially in cloud or AI environments where vector databases store sensitive embeddings.

CVE Details

CVE ID	CVSS Score	Affected Versions	Impact	Exploit Prerequisites
CVE-2025-64513	9.1 (Critical)	Milvus [2.4.0, 2.4.24) Milvus [2.5.0, 2.5.21) Milvus [2.6.0, 2.6.5)	Full auth bypass, admin access, RCE potential via management APIs	Network access to Milvus Proxy (default port 19530); no privileges needed

Technical Breakdown and Reproduction

The vulnerability stems from weak header validation in authentication_interceptor.go.

When authentication is enabled, the proxy calls validSourceID(), which base64-decodes the sourceId header and checks it against the hardcoded constant @@milvus-member@@.

If it matches, the system skips user auth entirely and assumes an internal call.

Here’s the vulnerable code snippet:

func validSourceID(ctx context.Context, authorization []string) bool {
    if len(authorization) < 1 { return false }
    token := authorization[0]
    sourceID, err := crypto.Base64Decode(token)
    if err != nil { return false }
    return sourceID == util.MemberCredID  // Hardcoded: "@@milvus-member@@"
}

In the auth flow:

if Params.CommonCfg.AuthorizationEnabled.GetAsBool() {
    if !validSourceID(ctx, md[strings.ToLower(util.HeaderSourceID)]) {
        // Fallback to username/password or API key
    }
    // Else: Full bypass!
}

Anyone can send sourceId: <base64(“@@milvus-member@@”)> over gRPC to bypass checks.

This works on operations like ListDatabases, CheckHealth, or even collection management, enabling data exfiltration or manipulation.

To reproduce, set up a vulnerable Milvus standalone instance:

1. Download and run: curl -sfL https://raw.githubusercontent.com/milvus-io/milvus/master/scripts/standalone_embed.sh -o standalone_embed.sh && bash standalone_embed.sh start
2. Enable auth in the user.yaml: standard.security.authorizationEnabled: true
3. Use the provided Go PoC to test unauthenticated vs. forged header calls. Output shows failures without the header but success with it, listing databases like “default” as admin.

The patch at GitHub commit enforces standard auth for all requests. Update to Milvus 2.4.24+, 2.5.21+, or 2.6.5+ immediately.

Check exposures via Shodan for port 19530. No known in-the-wild exploits yet, but AI infrastructure demands quick patching.