CVE-2025-51471

Vulnerability

Overview

CVE-2025-51471 is a cross-domain token exposure vulnerability in Ollama version 0.6.7. The flaw resides in the server.auth.getAuthorizationToken function, which handles authentication challenges during model pulls. When Ollama receives a 401 Unauthorized response from an HTTPS server, it follows the WWW-Authenticate header's realm URL without validating that the realm belongs to the same domain as the original request [2][3]. This allows an attacker to redirect the authentication flow to a malicious or arbitrary domain.

Exploitation

An attacker can exploit this by hosting a malicious server that responds with a crafted WWW-Authenticate header pointing to a realm like https://registry.ollama.ai/v2/token. When a victim initiates a model pull via /api/pull and the model URL points to the attacker's server, Ollama will send the victim's authentication tokens to the specified realm, effectively leaking them to the attacker-controlled domain [3][4]. No special privileges are needed beyond the ability to serve a malicious response.

Impact

Successful exploitation allows remote attackers to steal valid authentication tokens for registry.ollama.ai, bypassing access controls. This could lead to unauthorized access to private models or other resources protected by those tokens. The attack does not require user interaction beyond pulling a malicious model [4].

Mitigation

The issue has been fixed in a subsequent release; see pull request #10750 [3]. Users should update to the latest version of Ollama. As of now, there is no workaround other than avoiding model pulls from untrusted sources.