CVE-2025-64513 PoC — milvus 授权问题漏洞

Source

https://github.com/shinyseam/CVE-2025-64513

Associated Vulnerability

Title:milvus 授权问题漏洞 (CVE-2025-64513)
Description:milvus是The Milvus Project开源的一个高性能的云原生矢量数据库。 Milvus 2.4.24之前版本、2.5.21之前版本和2.6.5之前版本存在授权问题漏洞，该漏洞源于Milvus Proxy组件中存在认证机制绕过问题，可能导致攻击者获得完全管理权限。

Description

PoC for CVE-2025-64513 — Milvus Proxy Authentication Bypass Vulnerability   Batch scanner to verify unauthorized access and gather Milvus version, health, and database info.   For security research and defensive validation only.

Readme

# CVE-2025-64513 – Milvus Proxy Authentication Bypass Vulnerability PoC

## 📘 Overview

This repository contains a **proof-of-concept (PoC)** script to verify the existence of **CVE-2025-64513**,
a critical **authentication bypass vulnerability** in **Milvus Proxy** that may allow unauthorized access to internal APIs.

When an unauthenticated request is sent with a crafted `sourceid` header, some Milvus versions fail to enforce identity checks, resulting in potential **full unauthenticated access** to the database metadata and collection information.

> ⚠️ This PoC is for **security research and defensive validation only**.
> Do **not** use it on systems without explicit authorization.

---

## 🚨 Affected Versions

According to current analysis, the following Milvus versions are affected:

| Version Range    | Status     |
| ---------------- | ---------- |
| `< 2.4.24`       | Vulnerable |
| `2.5.* < 2.5.21` | Vulnerable |
| `2.6.* < 2.6.5`  | Vulnerable |

Later versions are expected to include authentication enforcement fixes.

---

## 🧰 Features

* Detects unauthenticated Milvus Proxy access.
* Collects detailed system information:

  * Milvus **version**
  * **Health status** (`GetMetrics`)
  * **Database count and names**
  * **Collection count** per database
* Supports **batch scanning** from file input.
* **Multi-threaded** for faster verification.

---

## ⚙️ Usage

### 1️⃣ Installation

```bash
git clone https://github.com/<yourname>/CVE-2025-64513-POC.git
cd CVE-2025-64513-POC
pip install -r requirements.txt
```

`requirements.txt` should include:

```
grpcio
pymilvus
```

---

### 2️⃣ Prepare Targets File

Create a text file (e.g. `targets.txt`):

```
192.168.1.10:19530
milvus.example.com:19530
```

Lines starting with `#` are ignored.

---

### 3️⃣ Run PoC

```bash
python3 check_cve_2025_64513.py targets.txt
```

---

## 🧾 Example Output

```
Starting scan for 2 targets ...

[+] 192.168.1.10:19530 is vulnerable to unauthorized access
[Version] 2.5.10
[Health] Healthy
[Database Count] 2
[Databases] ['default', 'analytics']
[Collections per Database] {'default': ['users', 'products'], 'analytics': ['events']}

[-] milvus.example.com:19530 not vulnerable (RPC failed: UNAVAILABLE)

```

---

## 🛡️ Mitigation

* Upgrade to the latest Milvus version (`>= 2.6.5` recommended).
* Restrict access to port `19530` using firewall or reverse proxy.
* Enforce authentication and TLS for all external access.

---

## 📚 References

* [CVE-2025-64513 – NVD Listing (pending)](https://nvd.nist.gov/)
* [Milvus Official Website](https://milvus.io)
* [Milvus GitHub Repository](https://github.com/milvus-io/milvus)

---

## ⚠️ Legal Disclaimer

This project is intended **solely for educational and defensive research purposes**.
Running this PoC against systems without authorization is **illegal**.
The author and contributors **assume no liability** for misuse or damage caused by this code.

File Snapshot


 [4.0K]  /data/pocs/4ce87170e2b5c79db136e41c9cb4fab407c06ca8
└── [2.9K]  README.md

1 directory, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!