all blogs

Pinecone, Weaviate, and Milvus Security Issues in JavaScript and TypeScript Applications

This series shows how vulnerabilities propagate through the stack and provides a framework for defending AI applications in production.

Get the Playbook
written by
Mahesh Babu
published on
September 8, 2025
topic
Application Security
Contents
Example H2
Example H3

Introduction

Vector databases such as Pinecone, Weaviate, and Milvus are critical components of AI applications. Their JavaScript and TypeScript clients allow developers to embed, query, and retrieve high-dimensional vectors. These integrations come with application security risks, particularly when vector stores are treated as trusted rather than adversarial environments.

Data Exfiltration via Query Abuse

In Pinecone and Weaviate, queries can retrieve vectors along with metadata. If applications expose search endpoints without authentication, attackers can exfiltrate embeddings that contain sensitive corporate documents. One red team assessment demonstrated how an attacker used a simple vector similarity query to leak contract data embedded in Pinecone.

Injection in Vector Metadata

Weaviate and Milvus allow developers to attach metadata to vectors. Applications that concatenate user input into metadata fields without sanitization are vulnerable to injection. In one incident, metadata crafted with malicious JSON led to server errors that revealed underlying database configuration.

Over-Privileged API Keys

API keys for vector databases are often given full cluster access. In a 2024 security review, Pinecone deployments were found exposing keys that allowed both read and write operations. An attacker who compromises the key can poison embeddings, insert malicious data, or delete critical indices.

MITRE ATT&CK Mapping

Threat Vector MITRE Technique(s) Example
Unauthorized vector queries T1530 – Data from Cloud Storage Object Pinecone endpoint exposing embeddings without authentication
Metadata injection T1565 – Data Manipulation Weaviate metadata crafted to cause errors and leak config
API key misuse T1552 – Unsecured Credentials Pinecone API key with full cluster privileges abused for poisoning

Conclusion

Vector databases extend the attack surface of AI applications. Without strict authentication, data exfiltration and poisoning are straightforward. Security teams must enforce access controls, sanitize metadata, and scope API keys to the minimum necessary permissions.

References

  • Pinecone. (2024). Securing your Pinecone deployment. Pinecone Docs. https://docs.pinecone.io/docs/security
  • Weaviate. (2024). Security considerations. Weaviate Documentation. https://weaviate.io/developers/weaviate
  • MITRE ATT&CK®. (2024). ATT&CK Techniques. MITRE. https://attack.mitre.org/
Get the Playbook

Blog written by

Mahesh Babu

Head of Marketing

More blogs

View all

Prompt Injection Was Never the Real Problem

A review of “The Promptware Kill Chain”Over the last two years, “prompt injection” has become the SQL injection of the LLM era: widely referenced, poorly defined, and often blamed for failures that have little to do with prompts themselves.A recent arXiv paper, “The Promptware Kill Chain: How Prompt Injections Gradually Evolved Into a Multi-Step Malware,” tries to correct that by reframing prompt injection as just the initial access phase of a broader, multi-stage attack chain.As a security researcher working on real production AppSec and AI systems, I think this paper is directionally right and operationally incomplete.This post is a technical critique: what the paper gets right, where the analogy breaks down, and how defenders should actually think about agentic system compromise.

January 16, 2026

From SBOM Inventory to Package Intelligence

How Kodem turns SBOM packages into the control plane for investigation, governance and remediation

January 14, 2026

CVE-2026-21858: Ni8mare: Unauthenticated Remote Code Execution in n8n

An unauthenticated Remote Code Execution (RCE) flaw, tracked as CVE-2026-21858 (CVSS 10.0), has been discovered in n8n, the widely-adopted workflow automation platform. With over 100 million Docker pulls and an estimated 100,000 locally deployed instances, this vulnerability transforms n8n from a productivity tool into a severe single point of potential failure for organizations globally.

January 8, 2026

A Primer on Runtime Intelligence

See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

Platform Overview Video

Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

The State of the Application Security Workflow

This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.

Get real-time insights across the full stack…code, containers, OS, and memory

Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.

Stay up-to-date on Audit Nexus

A curated resource for the many updates to cybersecurity and AI risk regulations, frameworks, and standards.