Improper Authentication Affecting github.com/milvus-io/milvus/pkg/util package, versions <2.4.24>=2.5.0-beta <2.5.21>=2.6.0 <2.6.0-rc1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Authentication vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-GOLANG-GITHUBCOMMILVUSIOMILVUSPKGUTIL-13876666
- published11 Nov 2025
- disclosed10 Nov 2025
- creditUnknown
Introduced: 10 Nov 2025
NewCVE-2025-64513 Â (opens in a new tab)How to fix?
Upgrade github.com/milvus-io/milvus/pkg/util to version 2.4.24, 2.5.21, 2.6.0-rc1 or higher.
Overview
Affected versions of this package are vulnerable to Improper Authentication through the Milvus Proxy component, which skips the source ID check. An attacker can gain full administrative access to the cluster, allowing them to read, modify, or delete data and perform privileged operations by sending specially crafted requests that bypass authentication mechanisms.
Workaround
This vulnerability can be mitigated by removing the sourceID header from all incoming requests at the gateway, API gateway, or load balancer level before they reach the affected component.