Cyber Posture

CVE-2025-63389

Critical

Published: 18 December 2025

Published
18 December 2025
Modified
22 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 34.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63389 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Ollama Ollama. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 6 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 explicitly limits actions permitted without identification or authentication, directly preventing unauthorized model management operations on exposed Ollama API endpoints.

IA-9 Service Identification and Authentication good match
prevent

IA-9 requires identification and authentication mechanisms for provided services, addressing the complete lack of authentication on Ollama's vulnerable API endpoints.

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations for access to system resources, mitigating unauthorized remote operations such as model listing, pulling, and deletion via unauthenticated APIs.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1518 Software Discovery Discovery
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
T1608.001 Upload Malware Resource Development
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting.
attack.mitre.org →
Why these techniques?

Authentication bypass in Ollama API endpoints enables exploitation of public-facing application (T1190), privilege escalation (T1068), model enumeration (T1083, T1518), model deletion (T1070.004), stored data manipulation via model poisoning (T1565.001), and staging malicious models (T1608.001).

NVD Description

A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.

Deeper analysisAI

CVE-2025-63389 is a critical authentication bypass vulnerability (CWE-306) in the Ollama platform's API endpoints, affecting versions prior to and including v0.12.3. Ollama, an open-source tool for running large language models locally, exposes multiple API endpoints without requiring authentication, allowing remote attackers to perform unauthorized model management operations. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and lack of privileges needed for exploitation.

Remote attackers can exploit this vulnerability over the network without authentication by directly accessing the unprotected API endpoints. Successful exploitation enables unauthorized operations such as listing, pulling, deleting, or managing models on the target Ollama instance, potentially leading to full compromise of confidentiality, integrity, and availability of the platform's resources.

Mitigation details and further advisories are available in the following references: https://gist.github.com/Cristliu/48dae561696374744d9fced07a544ecd, https://gist.github.com/Cristliu/b6f4d070fb27932f581be1aadc0923e7, and https://github.com/ollama/ollama/issues. Security practitioners should review these for patch information and upgrade recommendations.

Ollama's role in facilitating local deployment of AI/ML models underscores the relevance of this vulnerability to environments handling sensitive inference workloads. No public information on real-world exploitation is available as of the CVE publication on 2025-12-18.

Details

CWE(s)
CWE-306

Affected Products

ollama
ollama
≤ 0.12.3

CVEs Like This One

CVE-2025-15514Same product: Ollama Ollama
CVE-2026-7482Same product: Ollama Ollama
CVE-2025-66959Same product: Ollama Ollama
CVE-2025-66960Same product: Ollama Ollama
CVE-2025-0315Same product: Ollama Ollama
CVE-2024-8063Same product: Ollama Ollama
CVE-2025-0312Same product: Ollama Ollama
CVE-2024-12055Same product: Ollama Ollama
CVE-2025-0317Same product: Ollama Ollama
CVE-2026-26125Shared CWE-306

References