Ollama Cross-Domain Token Exposure Vulnerability

A cross-domain token exposure vulnerability has been identified in Ollama version 0.6.7. This issue allows remote attackers to steal authentication tokens and bypass access controls by exploiting the model pulling mechanism. When a model is requested from a server that responds with a 401 Unauthorized status, Ollama incorrectly follows the WWW-Authenticate header's realm URL without verifying if it originates from the same domain as the initial request. This flaw enables attackers to redirect the authentication flow to a malicious domain, capture valid authentication tokens, and potentially access or manipulate private models on behalf of the victim.

Impact

Exploitation of this vulnerability allows for the theft of authentication tokens from `registry.ollama.ai`, access to private models the user has permission to, and the ability to push malicious models under the victim's identity if they have write access.

Reproduction

To reproduce this vulnerability, start the Ollama server and create a token-capture server that listens for incoming requests. The token-capture server should be configured to respond with a 401 Unauthorized status and a WWW-Authenticate header that includes a realm URL pointing to `registry.ollama.ai`. Once the token-capture server is running, send a request to the Ollama server's `/api/pull` endpoint, including the URL of the token-capture server as the model source. The authentication token will be captured by the token-capture server, demonstrating the vulnerability.

Remediation

Users can update to Ollama version 0.9.6, where this vulnerability has been fixed.