x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-f6mr-38g8-39rg #4251
Description
Advisory GHSA-f6mr-38g8-39rg references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/ollama/ollama |
Description:
A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.
References:
- ADVISORY: GHSA-f6mr-38g8-39rg
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-63389
- WEB: https://gist.github.com/Cristliu/48dae561696374744d9fced07a544ecd
- WEB: https://github.com/ollama/ollama/issues
Cross references:
- github.com/ollama/ollama appears in 12 other report(s):
- data/reports/GO-2024-2901.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: CVE-2024-37032 #2901)
- data/reports/GO-2024-3104.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: CVE-2024-45436 #3104)
- data/reports/GO-2024-3245.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: CVE-2024-39720 #3245)
- data/reports/GO-2025-3548.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-v464-r2r9-www7 #3548)
- data/reports/GO-2025-3557.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-fccc-8m69-8r78 #3557)
- data/reports/GO-2025-3558.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-89qx-m49c-8crf #3558)
- data/reports/GO-2025-3559.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-9gcr-28rp-cc24 #3559)
- data/reports/GO-2025-3582.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-p2wh-w96x-w232 #3582)
- data/reports/GO-2025-3689.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-2xf2-gjm6-g2c6 #3689)
- data/reports/GO-2025-3695.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-wrh5-cmwx-q2qr #3695)
- data/reports/GO-2025-3824.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-x9hg-5q6g-q3jr #3824)
- data/reports/GO-2025-3851.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-93jv-pvg8-hf3v #3851)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/ollama/ollama
vulnerable_at: 0.13.5
summary: |-
Ollama Platform has missing authentication enabling attackers to perform model
management operations in github.com/ollama/ollama
cves:
- CVE-2025-63389
ghsas:
- GHSA-f6mr-38g8-39rg
references:
- advisory: https://github.com/advisories/GHSA-f6mr-38g8-39rg
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-63389
- web: https://gist.github.com/Cristliu/48dae561696374744d9fced07a544ecd
- web: https://github.com/ollama/ollama/issues
source:
id: GHSA-f6mr-38g8-39rg
created: 2025-12-18T23:01:05.102315737Z
review_status: UNREVIEWED