CVE-2025-15453

Summary

A security vulnerability has been detected in milvus up to 2.6.7. This vulnerability affects the function expr.Exec of the file pkg/util/expr/expr.go of the component HTTP Endpoint. The manipulation of the argument code leads to deserialization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. A fix is planned for the next release 2.6.8.

Affected Software

VendorProductVersion RangeStatus
n/amilvus2.6.0affected
n/amilvus2.6.1affected
n/amilvus2.6.2affected
n/amilvus2.6.3affected
n/amilvus2.6.4affected
n/amilvus2.6.5affected
n/amilvus2.6.6affected
n/amilvus2.6.7affected

Weaknesses

  • CWE-502: Deserialization
  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References