Cross-Domain Token Exposure in Ollama by Ollama
CVE-2025-51471
What is CVE-2025-51471?
A vulnerability in Ollama version 0.6.7 allows remote attackers to exploit the server.auth.getAuthorizationToken mechanism, enabling them to steal sensitive authentication tokens. This can occur through a crafted malicious realm value in the WWW-Authenticate header returned by the /api/pull endpoint, facilitating unauthorized access and evasion of access controls.
News Articles
Security firms debate CVE credit in overlapping vulnerability reports
FuzzingLabs has accused the YCombinator-backed startup, Gecko Security, of replicating its vulnerability disclosures. Gecko allegedly filed for 2 CVEs based on FuzzingLabs' reports without crediting them. Gecko denies any wrongdoing, calling the allegations a misunderstanding over disclosure process...
1 day ago
Security firms dispute credit for overlapping CVE reports
FuzzingLabs has accused the YCombinator-backed startup, Gecko Security, of replicating its vulnerability disclosures. Gecko allegedly filed for 2 CVEs based on FuzzingLabs' reports without crediting them. Gecko denies any wrongdoing, calling the allegations a misunderstanding over disclosure process...
1 day ago