CVE-2025-51471: 
Ollama vulnerability analysis and mitigation

Cross-Domain Token Exposure vulnerability (CVE-2025-51471) was discovered in Ollama version 0.6.7, specifically affecting the server.auth.getAuthorizationToken component. The vulnerability allows remote attackers to steal authentication tokens and bypass access controls through a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint. This security issue was disclosed on July 22, 2025 (NVD, Gecko Security).

The vulnerability exists in the authentication challenge handling logic of Ollama's model pulling mechanism. When a user attempts to pull a model from an HTTPS server that responds with a 401 Unauthorized status, Ollama follows the WWW-Authenticate header's realm URL without validating if it belongs to the same domain as the original request. The CVSS v3.1 score is 6.9 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N. The vulnerability is associated with CWE-384 (Session Fixation) and CWE-345 (Insufficient Verification of Data Authenticity) (NVD, Gecko Security).

The vulnerability enables attackers to steal authentication tokens for registry.ollama.ai by tricking users into pulling models from malicious servers. With stolen tokens, attackers can access private models the victim has permission to access and potentially push malicious models under the victim's identity if they have write access (Gecko Security).

A fix has been proposed through a pull request (#10750) to address the cross-domain authentication token exposure. The fix involves implementing proper domain validation for authentication realm URLs (GitHub PR).