CVE-2025-63389
📋 TL;DR
A critical authentication bypass vulnerability in Ollama platform allows remote attackers to perform unauthorized model management operations without authentication. This affects all Ollama installations running versions v0.12.3 and earlier. Attackers can manipulate AI models, potentially compromising model integrity and system security.
💻 Affected Systems
- Ollama
📦 What is this software?
Ollama by Ollama
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of AI model infrastructure allowing attackers to delete, modify, or replace models, potentially injecting malicious code into AI workflows and exfiltrating sensitive model data.
Likely Case
Unauthorized access to model management functions allowing attackers to delete or modify existing models, disrupt AI services, and potentially access sensitive model configurations.
If Mitigated
Limited impact if network segmentation and access controls prevent external access to vulnerable endpoints.
🎯 Exploit Status
Exploitation requires only HTTP requests to vulnerable endpoints without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.12.4 or later
Vendor Advisory: https://github.com/ollama/ollama/issues
Restart Required: Yes
Instructions:
1. Stop Ollama service. 2. Update to v0.12.4 or later using package manager or manual download. 3. Restart Ollama service. 4. Verify authentication is now required for API endpoints.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to Ollama API endpoints using firewall rules
iptables -A INPUT -p tcp --dport 11434 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 11434 -j DROP
Reverse Proxy Authentication
allPlace Ollama behind a reverse proxy with authentication requirements
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Ollama instances from untrusted networks
- Deploy web application firewall (WAF) rules to block unauthorized API requests to model management endpoints
🔍 How to Verify
Check if Vulnerable:
Test if API endpoints respond without authentication: curl -X POST http://ollama-host:11434/api/pull -d '{"name": "test"}'Check Version:
ollama --versionVerify Fix Applied:
Attempt same API request and verify it returns authentication error: curl -X POST http://ollama-host:11434/api/pull -d '{"name": "test"}'📡 Detection & Monitoring
Log Indicators:
- Unauthenticated API requests to model management endpoints
- Failed authentication attempts followed by successful API calls
- Unusual model pull/push/delete operations from unexpected IPs
Network Indicators:
- HTTP POST requests to /api/pull, /api/push, /api/delete without authentication headers
- High volume of API requests from single source without authentication
SIEM Query:
source="ollama.log" AND ("POST /api/pull" OR "POST /api/push" OR "POST /api/delete") AND NOT "Authorization:"