CVE ID: CVE-2025-63389 Date: 2025-12-18 Vendor: Ollama Product: Ollama Affected Versions: <= v0.12.3 Vulnerability Type: Incorrect Access Control / Authentication Bypass Severity: Critical (Code Execution, Privilege Escalation, Information Disclosure)
A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.
- Component:
/api/tags,/v1/models,/api/copy,/api/delete,/api/create,/api/generate,/api/chatendpoints - Vulnerability: Missing authentication on critical API endpoints.
Attack Type: Remote
Attack Vectors: An unauthenticated attacker can exploit the lack of authentication on Ollama's API endpoints to conduct a multi-stage attack:
- Reconnaissance: Use
/api/tagsand/v1/modelsto enumerate existing models. - Resource Manipulation: Use
/api/copy,/api/delete, and/api/createto inject malicious system prompts into model configurations. - Model Poisoning: Create poisoned models with identical names but containing adversarial system prompts, delete legitimate models, and force users to interact with compromised models.
Impact:
- Code Execution: Potential for RCE via malicious model configuration or prompt injection.
- Escalation of Privileges: Unauthorized management of models.
- Information Disclosure: Enumeration of installed models.
- Model Poisoning: Manipulation of model behavior.
- Vendor Repository: https://github.com/ollama/ollama
- Issues: https://github.com/ollama/ollama/issues
Discovered and reported by Zhihuang Liu (herecristliu@gmail.com)