Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

A critical bug in Ollama allows for model replacement attacks

Redazione RHC : 20 August 2025 17:55

A vulnerability in the popular AI model launcher Ollama opened the door to drive-by attacks, allowing attackers to silently interfere with the local application via a specially crafted website, read personal correspondence, and even replace the models used, even uploading infected versions.

The security flaw was discovered and disclosed on July 31 by Chris Moberly, Senior Security Manager at GitLab. The vulnerability affected Ollama Desktop v0.10.0 and was related to an incorrect implementation of CORS controls in the local web service responsible for the GUI. As a result, JavaScript on a malicious page could scan a range of ports on the victim’s computer (from 40,000 to 65,535), find a random port used by the Ollama GUI, and send a fake “simple” POST request, modifying the settings and redirecting the traffic to the attacker’s server.

After replacing the configuration, the attacker was able to intercept all local requests, read the correspondence, and modify the AI’s responses in real time. The user viewed a normal site, and the attack occurred without any clicks or actions on their part. Furthermore, attackers could specify their own system prompts or attach “poisoned” patterns, giving them complete control over the application’s operation.

Moberly noted that exploiting the vulnerability “would be trivial” and emphasized that even preparing the attack infrastructure could be automated using an LLM. Fortunately, the Ollama team responded quickly and acknowledged the issue, releasing an updated version, v0.10.1, an hour later, which fixes the bug. For users who installed Ollama via the official installers, a simple restart of the program was all it took for the automatic update to take effect; Those who installed it via Homebrew must update it manually.

The PoC code andthe technical description of the attack were published by Moberly on GitLab. There is no information yet that the vulnerability has been exploited by attackers, but the researcher recommends all Ollama users ensure they have a patch.

Ollama is designed to run LLM models locally on macOS and Windows computers. The vulnerability did not affect Ollama’s core API and was limited to the new GUI available only a few weeks before the bug was discovered. The issue has not yet been assigned a CVE identifier.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli