CVE-2025-51471: 
Wolfi vulnerability analysis and mitigation

Cross-Domain Token Exposure vulnerability (CVE-2025-51471) was discovered in Ollama version 0.6.7, specifically in the server.auth.getAuthorizationToken component. The vulnerability was disclosed on July 22, 2025, affecting the authentication mechanism during model pulling operations. This security flaw allows remote attackers to steal authentication tokens and bypass access controls through manipulation of the WWW-Authenticate header's realm value in the /api/pull endpoint (NVD, Gecko Security).

The vulnerability exists in the authentication challenge handling logic where Ollama fails to validate that the authentication realm in the WWW-Authenticate header belongs to the same domain as the initial request. When a user pulls a model from an HTTPS server that responds with a 401 Unauthorized status, Ollama follows the WWW-Authenticate header's realm URL without proper domain validation. The CVSS v3.1 score is 6.9 (Medium) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N. The vulnerability is associated with CWE-345 (Insufficient Verification of Data Authenticity) and CWE-384 (Session Fixation) (NVD, Miggo).

The vulnerability enables attackers to steal authentication tokens for registry.ollama.ai by tricking users into pulling models from malicious servers. Once obtained, these tokens can be used to access private models the victim has permission to access and potentially push malicious models under the victim's identity if they have write access (Gecko Security).

A fix has been implemented in pull request #10750, which modifies the registryChallenge.URL function to include a check that compares the domain of the authentication realm with the domain of the service. This prevents the redirection of authentication tokens to malicious servers (GitHub PR).