Cross-Domain Token Exposure in Ollama by Ollama
CVE-2025-51471
Key Information:
Badges
What is CVE-2025-51471?
A vulnerability in Ollama version 0.6.7 allows remote attackers to exploit the server.auth.getAuthorizationToken mechanism, enabling them to steal sensitive authentication tokens. This can occur through a crafted malicious realm value in the WWW-Authenticate header returned by the /api/pull endpoint, facilitating unauthorized access and evasion of access controls.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Security firms debate CVE credit in overlapping vulnerability reports
FuzzingLabs has accused the YCombinator-backed startup, Gecko Security, of replicating its vulnerability disclosures. Gecko allegedly filed for 2 CVEs based on FuzzingLabs' reports without crediting them. Gecko denies any wrongdoing, calling the allegations a misunderstanding over disclosure process...
Security firms dispute credit for overlapping CVE reports
FuzzingLabs has accused the YCombinator-backed startup, Gecko Security, of replicating its vulnerability disclosures. Gecko allegedly filed for 2 CVEs based on FuzzingLabs' reports without crediting them. Gecko denies any wrongdoing, calling the allegations a misunderstanding over disclosure process...
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved