Critical severityOSV Advisory· Published Dec 18, 2025· Updated Jan 22, 2026

CVE-2025-63389

Description

A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/ollama/ollamaGo	<= 0.13.5	—

Affected products

Ollama/OllamaOSV
Range: v0.0.1, v0.0.10, v0.0.11, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-f6mr-38g8-39rgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-63389ghsaADVISORY
gist.github.com/Cristliu/48dae561696374744d9fced07a544ecdghsaWEB
gist.github.com/Cristliu/b6f4d070fb27932f581be1aadc0923e7mitre

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000