{"id":51118736,"url":"https://github.com/Perufitlife/ollama-security","last_synced_at":"2026-06-25T00:01:26.326Z","repository":{"id":366362808,"uuid":"1275993053","full_name":"Perufitlife/ollama-security","owner":"Perufitlife","description":"Active-probe security auditor for Ollama: detects a publicly bound, unauthenticated API and PROVES model/compute leaks live via anonymous /api/tags, /api/ps, /api/generate and CORS probes. Zero deps, MIT.","archived":false,"fork":false,"pushed_at":"2026-06-21T12:50:03.000Z","size":13,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-06-21T14:40:09.813Z","etag":null,"topics":["ai-agents","cors","devsecops","llm","llm-security","local-ai","local-llm","ollama","security","security-audit"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Perufitlife.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-21T12:04:57.000Z","updated_at":"2026-06-21T12:50:06.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Perufitlife/ollama-security","commit_stats":null,"previous_names":["perufitlife/ollama-security"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Perufitlife/ollama-security","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Perufitlife%2Follama-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Perufitlife%2Follama-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Perufitlife%2Follama-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Perufitlife%2Follama-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Perufitlife","download_url":"https://codeload.github.com/Perufitlife/ollama-security/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Perufitlife%2Follama-security/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34753781,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-24T02:00:07.484Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","cors","devsecops","llm","llm-security","local-ai","local-llm","ollama","security","security-audit"],"created_at":"2026-06-25T00:01:24.993Z","updated_at":"2026-06-25T00:01:26.319Z","avatar_url":"https://github.com/Perufitlife.png","language":"JavaScript","funding_links":[],"categories":["Local LLM / AI"],"sub_categories":[],"readme":"# ollama-security\n\n\u003e Audit any **Ollama** server for the one misconfiguration that actually leaks compute and models — a public API bound with **no authentication** — and **prove it live with an anonymous probe** of `/api/tags`, `/api/ps`, `/api/version`, `/api/generate` and CORS reflection. Other checklists tell you what *might* be wrong; this fetches the bytes and shows you what *is*.\n\n\u003e ⚡ **Run it in one line, no token, no install:**\n\u003e ```bash\n\u003e npx ollama-security --url http://your-host:11434\n\u003e ```\n\n\u003e 🤝 **Want it done for you?** [Fixed-scope audit — $99 / 24h](https://buy.stripe.com/3cIeVdgikfj47yx9LkcAo0m): I verify each finding live and send a written report with the exact config fixes.\n\n[![npm](https://img.shields.io/npm/v/ollama-security?color=red)](https://www.npmjs.com/package/ollama-security) [![downloads](https://img.shields.io/npm/dw/ollama-security)](https://www.npmjs.com/package/ollama-security) ![license](https://img.shields.io/badge/license-MIT-green) ![node](https://img.shields.io/badge/node-%3E%3D18-blue) ![deps](https://img.shields.io/badge/dependencies-0-brightgreen)\n\n```\n$ npx ollama-security --url http://10.0.0.5:11434\n2 critical, 4 high, 1 medium — 7 CONFIRMED via anonymous probe\n  CRITICAL  /api/version    Ollama API reachable with no authentication (v0.5.1)\n  CRITICAL  /api/pull       anonymous model push/pull reachable — model theft + RCE chain\n  HIGH      /api/tags       full model inventory leaked — 11 models reachable\n  HIGH      /api/ps         running models + VRAM exposed\n  HIGH      CORS            Origin reflected → any website can drive your Ollama\n  HIGH      /api/generate   anonymous inference accepted — free GPU / compute theft\n```\n\n## Why this exists\n\nOllama is the default way to run local LLMs — and it ships with **no\nauthentication** on port `11434` (CNVD-2025-04094). If `OLLAMA_HOST` is bound to\n`0.0.0.0` and the port is reachable, *anyone* who finds it has full control of\nyour models and your GPU.\n\nThis is not theoretical. In February 2026, ~**175,000 Ollama instances** were\nfound exposed with zero auth (LeakIX / the Cisco–Shodan study). The documented\nabuse is brutal: model theft via `pull`/`push`, free inference on your hardware,\nand proven RCE chains — in June 2026 Sysdig caught an attacker using an exposed\nOllama as a **malware brain**.\n\n`ollama-security` checks for these and **confirms the real ones** by issuing the\nexact anonymous request an attacker would — so you triage facts, not maybes. If\nyour server isn't anonymously reachable, it tells you so and exits clean.\n\n## What it checks\n\n| Check | Severity | How it's confirmed |\n|---|---|---|\n| API reachable with no auth | critical | anonymous `GET /api/version` answers `{version}` |\n| Model push/pull write path open | critical | anonymous `POST /api/pull` accepted (not 401/403) |\n| Model inventory leak | high | anonymous `GET /api/tags` returns every model |\n| Running models / VRAM leak | high | anonymous `GET /api/ps` returns loaded models |\n| CORS reflects arbitrary Origin | high | a foreign `Origin` is echoed in `Access-Control-Allow-Origin` |\n| Free inference (compute theft) | high | anonymous `POST /api/generate` accepted |\n| Version disclosure | medium | `/api/version` reveals the exact build for CVE matching |\n\nThe write-path probes (`/api/pull`, `/api/generate`) are sent with empty/`num_predict=1`\npayloads so the tool **never downloads a model or runs a real workload** — a `200`\nor `400` proves the endpoint is open; `401`/`403`/`404` means it's protected.\n\n## Usage\n\n```bash\n# Probe a live instance\nnpx ollama-security --url http://your-host:11434\n\n# Bare host works too (defaults to http:// and port 11434)\nnpx ollama-security --url your-host\n\n# Write a shareable HTML report\nnpx ollama-security --url http://your-host:11434 --html report.html\n\n# Static only (no requests sent) — just list the checks\nnpx ollama-security --url http://your-host:11434 --no-probe\n```\n\nOutput is JSON on stdout (pipe it into CI) and a one-line summary on stderr.\nExit is non-zero only on usage errors — gate your pipeline on the JSON `summary`.\n\n## The fix, in one line\n\n```bash\n# bind Ollama to localhost only, then firewall 11434 / front it with an authed proxy\nexport OLLAMA_HOST=127.0.0.1\n# and never set OLLAMA_ORIGINS=* on a public box\n```\n\n## Install (optional)\n\n```bash\nnpm i -g ollama-security\nollama-security --url http://your-host:11434\n```\n\nZero dependencies. Your data and credentials never leave your machine — every\nrequest goes straight from the tool to your Ollama server.\n\n## Sister tools\n\nSame active-probe philosophy for the rest of the stack, all MIT:\n\n[supabase-security](https://github.com/Perufitlife/supabase-security-skill) ·\n[pocketbase-security](https://github.com/Perufitlife/pocketbase-security-skill) ·\n[firebase-security](https://github.com/Perufitlife/firebase-security-skill) ·\n[appwrite-security](https://github.com/Perufitlife/appwrite-security-skill) ·\n[nhost-security](https://github.com/Perufitlife/nhost-security-skill) ·\n[strapi-security](https://github.com/Perufitlife/strapi-security) ·\n[directus-security](https://github.com/Perufitlife/directus-security)\n\n## License\n\nMIT © [Renzo Madueno](https://github.com/Perufitlife)\n\n---\n\n📚 Part of [**Awesome Backend Security Auditors**](https://github.com/Perufitlife/awesome-backend-security) — the full collection of keyless active-probe auditors.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPerufitlife%2Follama-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPerufitlife%2Follama-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPerufitlife%2Follama-security/lists"}