Cyber Posture

CVE-2025-63389

Critical

Published: 18 December 2025

Published
18 December 2025
Modified
22 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 explicitly limits actions permitted without identification or authentication, directly preventing unauthorized model management operations on exposed Ollama API endpoints.

IA-9 Service Identification and Authentication good match
prevent

IA-9 requires identification and authentication mechanisms for provided services, addressing the complete lack of authentication on Ollama's vulnerable API endpoints.

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations for access to system resources, mitigating unauthorized remote operations such as model listing, pulling, and deletion via unauthenticated APIs.

Security SummaryAI

CVE-2025-63389 is a critical authentication bypass vulnerability (CWE-306) in the Ollama platform's API endpoints, affecting versions prior to and including v0.12.3. Ollama, an open-source tool for running large language models locally, exposes multiple API endpoints without requiring authentication, allowing remote attackers to perform unauthorized model management operations. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and lack of privileges needed for exploitation.

Remote attackers can exploit this vulnerability over the network without authentication by directly accessing the unprotected API endpoints. Successful exploitation enables unauthorized operations such as listing, pulling, deleting, or managing models on the target Ollama instance, potentially leading to full compromise of confidentiality, integrity, and availability of the platform's resources.

Mitigation details and further advisories are available in the following references: https://gist.github.com/Cristliu/48dae561696374744d9fced07a544ecd, https://gist.github.com/Cristliu/b6f4d070fb27932f581be1aadc0923e7, and https://github.com/ollama/ollama/issues. Security practitioners should review these for patch information and upgrade recommendations.

Ollama's role in facilitating local deployment of AI/ML models underscores the relevance of this vulnerability to environments handling sensitive inference workloads. No public information on real-world exploitation is available as of the CVE publication on 2025-12-18.

Details

CWE(s)
CWE-306

Affected Products

ollama
ollama
≤ 0.12.3

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1518 Software Discovery Discovery
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
T1608.001 Upload Malware Resource Development
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting.
attack.mitre.org →
Why these techniques?

Authentication bypass in Ollama API endpoints enables exploitation of public-facing application (T1190), privilege escalation (T1068), model enumeration (T1083, T1518), model deletion (T1070.004), stored data manipulation via model poisoning (T1565.001), and staging malicious models (T1608.001).

References