Medium severity6.9NVD Advisory· Published Jul 22, 2025· Updated Jun 17, 2026
CVE-2025-51471
CVE-2025-51471
Description
Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ollama/ollamaGo | <= 0.9.6 | — |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/k8sgptpkg:apk/chainguard/modspkg:apk/chainguard/ollamapkg:apk/chainguard/ollama-fipspkg:apk/wolfi/k8sgptpkg:apk/wolfi/modspkg:apk/wolfi/ollamapkg:golang/github.com/ollama/ollamapkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0.4.28-r0+ 8 more
- (no CPE)range: < 0.4.28-r0
- (no CPE)range: < 1.8.1-r12
- (no CPE)range: < 0.12.10-r0
- (no CPE)range: < 0.12.10-r0
- (no CPE)range: < 0.4.28-r0
- (no CPE)range: < 1.8.1-r12
- (no CPE)range: < 0.12.10-r0
- (no CPE)range: <= 0.9.6
- (no CPE)range: < 0.0.20250730T213748-1.1
Patches
Vulnerability mechanics
References
6- github.com/ollama/ollama/pull/10750nvdExploitIssue TrackingWEB
- www.gecko.security/blog/cve-2025-51471nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-x9hg-5q6g-q3jrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-51471ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/ollama/PYSEC-2025-147.yamlghsaWEB
- huntr.com/bounties/94eea285-fd65-4e01-a035-f533575ebdc2nvdWEB
News mentions
0No linked articles in our index yet.