CVE-2025-51471 is a vulnerability identified in Ollama version 0.6.7 that arises from improper handling of authentication tokens in the server.auth.getAuthorizationToken function. Specifically, the vulnerability involves cross-domain token exposure due to the acceptance of a malicious realm value in the WWW-Authenticate HTTP header returned by the /api/pull endpoint. The realm parameter is intended to define the protection space for authentication, but if an attacker can inject or manipulate this value, they can cause clients to send authentication tokens to attacker-controlled domains. This leads to token theft and bypass of access controls without requiring prior authentication or privileges. The attack vector is remote and requires user interaction, such as a user visiting a maliciously crafted page or endpoint that triggers the vulnerable response. The vulnerability is classified under CWE-384 (Session Fixation) and CWE-345 (Insufficient Verification of Data Authenticity), indicating weaknesses in token management and validation. The CVSS v3.1 base score is 6.9, with vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N, highlighting network attack vector, high attack complexity, no privileges required, user interaction needed, scope changed, high confidentiality impact, low integrity impact, and no availability impact. No patches or known exploits are currently available, but the vulnerability poses a significant risk of unauthorized access and token theft if exploited.

For European organizations, this vulnerability could lead to unauthorized access to sensitive systems and data if attackers successfully steal authentication tokens. The confidentiality of user credentials and session tokens is at high risk, potentially exposing personal data, intellectual property, or critical business information. The integrity impact is limited but could allow attackers to bypass access controls, leading to unauthorized actions within affected systems. Availability is not impacted directly. Organizations relying on Ollama 0.6.7 or similar versions for authentication or API services are particularly vulnerable. Given the cross-domain nature of the attack, organizations with web clients or services that interact with Ollama APIs are at risk of token leakage through malicious web content. This could facilitate further attacks such as account takeover, data exfiltration, or lateral movement within networks. The medium severity rating suggests a significant but not critical threat, emphasizing the need for timely mitigation to prevent exploitation. The lack of known exploits in the wild provides a window for proactive defense.

1. Immediately review and update Ollama to a patched version once available; monitor vendor advisories for official fixes. 2. Implement strict validation and sanitization of the realm parameter in WWW-Authenticate headers to prevent injection of malicious values. 3. Enforce strict Cross-Origin Resource Sharing (CORS) policies to restrict which domains can receive authentication tokens. 4. Employ Content Security Policy (CSP) headers to limit the execution of untrusted scripts that could trigger token leakage. 5. Use secure cookie attributes (HttpOnly, Secure, SameSite) to protect session tokens from cross-site attacks. 6. Monitor logs and network traffic for unusual authentication token transmissions or access patterns indicative of token theft. 7. Educate users about phishing and social engineering risks that could facilitate user interaction required for exploitation. 8. Conduct security testing and code reviews focusing on authentication token handling and header processing. 9. Consider implementing multi-factor authentication (MFA) to reduce the impact of stolen tokens. 10. Segment networks and limit token scope to minimize lateral movement if compromise occurs.