AI Threat Alert

CVE-2025-63389: ollama: Missing Auth allows unauthenticated access

CRITICAL CISA: TRACK*
Published December 18, 2025
CISO Take

Ollama instances exposed to any network interface — including internal networks and cloud VMs — are fully compromised with a single unauthenticated HTTP call. An attacker can pull, delete, or replace your production LLM models without leaving traditional credentials-based IOCs. Immediately firewall Ollama to localhost-only and verify no running instance is reachable beyond 127.0.0.1:11434; treat any internet-exposed Ollama as a confirmed incident.

What is the risk?

Critically high. CVSS 9.8 reflects the zero-barrier exploitation: network-accessible, no credentials, no user interaction, no complexity. Ollama is widely deployed by enterprise teams for local and on-prem LLM inference, often with default settings that bind to 0.0.0.0. The attack surface is unusually broad — developers, MLOps teams, and production inference nodes are all potentially exposed. There is no authentication layer to exploit; this is a missing feature, making detection via auth logs impossible and exploitation indistinguishable from legitimate traffic.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Ollama pip No patch
174.6K 1.6K dependents Pushed 2d ago 12% patched ~0d to patch Full package profile →

Do you use Ollama? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 45% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade Ollama to a version beyond v0.12.3 when available; monitor the official GitHub releases actively.

  2. ISOLATE IMMEDIATELY

    Ensure Ollama binds only to 127.0.0.1 — set OLLAMA_HOST=127.0.0.1 in the service environment before restarting.

  3. FIREWALL

    Block TCP/11434 at the host firewall level (iptables/nftables/security groups) — do not rely on application-level binding alone.

  4. REVERSE PROXY WITH AUTH

    Place an authenticated reverse proxy (nginx/Caddy with basic auth or mTLS) in front of any Ollama instance that must be network-accessible.

  5. AUDIT

    Run ollama list and cross-reference model hashes against known-good pull manifests; any unexpected model is a potential IOC.

  6. DETECT

    Alert on unexpected HTTP POST to /api/pull, /api/delete, or /api/copy from any source other than localhost in network logs or WAF rules.

What does CISA's SSVC say?

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Supply Chain Inference API Model AML.T0018 AML.T0018.000 AML.T0025 AML.T0029 AML.T0034 AML.T0035 AML.T0040 AML.T0044 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2 - AI System Security — Access Control and Authentication A.6.2.6 - Access control to AI systems A.9.3 - AI system security and integrity
NIST AI RMF
GOVERN 6.1 - Policies and procedures for AI risk MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems MANAGE 4.1 - Post-deployment AI risk monitoring and incident response
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities LLM10:2025 - Model Theft

Frequently Asked Questions

What is CVE-2025-63389?

Ollama instances exposed to any network interface — including internal networks and cloud VMs — are fully compromised with a single unauthenticated HTTP call. An attacker can pull, delete, or replace your production LLM models without leaving traditional credentials-based IOCs. Immediately firewall Ollama to localhost-only and verify no running instance is reachable beyond 127.0.0.1:11434; treat any internet-exposed Ollama as a confirmed incident.

Is CVE-2025-63389 actively exploited?

No confirmed active exploitation of CVE-2025-63389 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-63389?

1. PATCH: Upgrade Ollama to a version beyond v0.12.3 when available; monitor the official GitHub releases actively. 2. ISOLATE IMMEDIATELY: Ensure Ollama binds only to 127.0.0.1 — set OLLAMA_HOST=127.0.0.1 in the service environment before restarting. 3. FIREWALL: Block TCP/11434 at the host firewall level (iptables/nftables/security groups) — do not rely on application-level binding alone. 4. REVERSE PROXY WITH AUTH: Place an authenticated reverse proxy (nginx/Caddy with basic auth or mTLS) in front of any Ollama instance that must be network-accessible. 5. AUDIT: Run `ollama list` and cross-reference model hashes against known-good pull manifests; any unexpected model is a potential IOC. 6. DETECT: Alert on unexpected HTTP POST to /api/pull, /api/delete, or /api/copy from any source other than localhost in network logs or WAF rules.

What systems are affected by CVE-2025-63389?

This vulnerability affects the following AI/ML architecture patterns: model serving, agent frameworks, RAG pipelines, LLM API integrations, on-prem AI infrastructure.

What is the CVSS score for CVE-2025-63389?

CVE-2025-63389 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.63%.

What is the AI security impact?

Affected AI Architectures

model servingagent frameworksRAG pipelinesLLM API integrationson-prem AI infrastructure

MITRE ATLAS Techniques

AML.T0018 Manipulate AI Model
AML.T0018.000 Poison AI Model
AML.T0025 Exfiltration via Cyber Means
AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0035 AI Artifact Collection
AML.T0040 AI Model Inference API Access
AML.T0044 Full AI Model Access
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2, A.6.2.6, A.9.3
NIST AI RMF: GOVERN 6.1, MANAGE 2.2, MANAGE 4.1
OWASP LLM Top 10: LLM05:2025, LLM10:2025

What are the technical details?

Original Advisory

A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.

Exploitation Scenario

An attacker performs an internet-wide scan for port 11434 or targets a known enterprise IP range. Upon finding an exposed Ollama instance, they issue a POST /api/pull with a payload pointing to an attacker-controlled registry hosting a backdoored GGUF model that mimics llama3 or mistral. The legitimate model is silently overwritten. Subsequent LLM queries from the enterprise's internal tools — RAG pipelines, code assistants, chatbots — now interact with the poisoned model, which is capable of prompt injection steering, data exfiltration via crafted responses, or jailbreak facilitation. Alternatively, the attacker deletes all loaded models via POST /api/delete, causing immediate denial of service to all AI-dependent workflows with no authentication trail in any SIEM.

Weaknesses (CWE)

CWE-306 Missing Authentication for Critical Function

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  • [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
December 18, 2025
Last Modified
January 22, 2026
First Seen
December 18, 2025

Related Vulnerabilities

CRITICAL CVE-2026-46339 10.0

9router: unauthenticated RCE exposes LLM API keys

Same package: ollama
CRITICAL CVE-2026-42249 9.8

Ollama: path traversal + unsigned update = silent RCE

Same package: ollama
CRITICAL CVE-2026-42248 9.8

Ollama: silent auto-update bypasses signature check on Windows

Same package: ollama
CRITICAL CVE-2026-7482 9.1

Ollama: heap OOB read leaks API keys and chat data

Same package: ollama
CRITICAL CVE-2026-44007 9.1

vm2: sandbox escape via nesting:true enables RCE

Same package: ollama
Back to Threat Feed