Cross-Domain Token Exposure in Ollama by Ollama
CVE-2025-51471

6.9MEDIUM

Key Information:

Vendor

Ollama

Status
Vendor
CVE Published:
22 July 2025

Badges

đź“° News Worthy

What is CVE-2025-51471?

A vulnerability in Ollama version 0.6.7 allows remote attackers to exploit the server.auth.getAuthorizationToken mechanism, enabling them to steal sensitive authentication tokens. This can occur through a crafted malicious realm value in the WWW-Authenticate header returned by the /api/pull endpoint, facilitating unauthorized access and evasion of access controls.

News Articles

Security firms debate CVE credit in overlapping vulnerability reports

FuzzingLabs has accused the YCombinator-backed startup, Gecko Security, of replicating its vulnerability disclosures. Gecko allegedly filed for 2 CVEs based on FuzzingLabs' reports without crediting them. Gecko denies any wrongdoing, calling the allegations a misunderstanding over disclosure process...

1 day ago

Security firms dispute credit for overlapping CVE reports

FuzzingLabs has accused the YCombinator-backed startup, Gecko Security, of replicating its vulnerability disclosures. Gecko allegedly filed for 2 CVEs based on FuzzingLabs' reports without crediting them. Gecko denies any wrongdoing, calling the allegations a misunderstanding over disclosure process...

1 day ago

References

CVSS V3.1

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • đź“°

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

.