Intel

AIKIDO-2026-25338

usearch is vulnerable to Exposure of Sensitive Information

Exposure of Sensitive Information Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

45

Medium Risk

This Affects:

PYTHONusearch
2.9.0 - 2.25.1
Fixed in 2.25.2
Are you affected? Scan for Free

TL;DR

The Python bindings resolve single-vector lookups in get_typed_vectors_for_keys by preallocating a 2D NumPy array and calling the underlying index.get without checking its return value. When Index.get is queried with a key that is not present in the index, the corresponding row is left as uninitialized heap memory and returned to the caller instead of None. Applications that query possibly-absent keys can therefore receive residual heap contents that may include previously stored vectors or other in-process data. The fix detects missing keys and returns py::none() for them while keeping a single backing allocation.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application retrieves vectors for keys that may not exist in a non-multi USearch index.

Background info

usearch is vulnerable to Exposure of Sensitive Information in versions 2.9.0 - 2.25.1.

How to fix this

Upgrade the usearch library to the patch version.