https://github.com/Perufitlife/ollama-security
Active-probe security auditor for Ollama: detects a publicly bound, unauthenticated API and PROVES model/compute leaks live via anonymous /api/tags, /api/ps, /api/generate and CORS probes. Zero deps, MIT.
https://github.com/Perufitlife/ollama-security
ai-agents cors devsecops llm llm-security local-ai local-llm ollama security security-audit
Last synced: 24 days ago
JSON representation
Active-probe security auditor for Ollama: detects a publicly bound, unauthenticated API and PROVES model/compute leaks live via anonymous /api/tags, /api/ps, /api/generate and CORS probes. Zero deps, MIT.
- Host: GitHub
- URL: https://github.com/Perufitlife/ollama-security
- Owner: Perufitlife
- License: mit
- Created: 2026-06-21T12:04:57.000Z (28 days ago)
- Default Branch: master
- Last Pushed: 2026-06-21T12:50:03.000Z (28 days ago)
- Last Synced: 2026-06-21T14:40:09.813Z (27 days ago)
- Topics: ai-agents, cors, devsecops, llm, llm-security, local-ai, local-llm, ollama, security, security-audit
- Language: JavaScript
- Size: 12.7 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# ollama-security
> Audit any **Ollama** server for the one misconfiguration that actually leaks compute and models β a public API bound with **no authentication** β and **prove it live with an anonymous probe** of `/api/tags`, `/api/ps`, `/api/version`, `/api/generate` and CORS reflection. Other checklists tell you what *might* be wrong; this fetches the bytes and shows you what *is*.
> β‘ **Run it in one line, no token, no install:**
> ```bash
> npx ollama-security --url http://your-host:11434
> ```
> π€ **Want it done for you?** [Fixed-scope audit β $99 / 24h](https://buy.stripe.com/3cIeVdgikfj47yx9LkcAo0m): I verify each finding live and send a written report with the exact config fixes.
[](https://www.npmjs.com/package/ollama-security) [](https://www.npmjs.com/package/ollama-security)   
```
$ npx ollama-security --url http://10.0.0.5:11434
2 critical, 4 high, 1 medium β 7 CONFIRMED via anonymous probe
CRITICAL /api/version Ollama API reachable with no authentication (v0.5.1)
CRITICAL /api/pull anonymous model push/pull reachable β model theft + RCE chain
HIGH /api/tags full model inventory leaked β 11 models reachable
HIGH /api/ps running models + VRAM exposed
HIGH CORS Origin reflected β any website can drive your Ollama
HIGH /api/generate anonymous inference accepted β free GPU / compute theft
```
## Why this exists
Ollama is the default way to run local LLMs β and it ships with **no
authentication** on port `11434` (CNVD-2025-04094). If `OLLAMA_HOST` is bound to
`0.0.0.0` and the port is reachable, *anyone* who finds it has full control of
your models and your GPU.
This is not theoretical. In February 2026, ~**175,000 Ollama instances** were
found exposed with zero auth (LeakIX / the CiscoβShodan study). The documented
abuse is brutal: model theft via `pull`/`push`, free inference on your hardware,
and proven RCE chains β in June 2026 Sysdig caught an attacker using an exposed
Ollama as a **malware brain**.
`ollama-security` checks for these and **confirms the real ones** by issuing the
exact anonymous request an attacker would β so you triage facts, not maybes. If
your server isn't anonymously reachable, it tells you so and exits clean.
## What it checks
| Check | Severity | How it's confirmed |
|---|---|---|
| API reachable with no auth | critical | anonymous `GET /api/version` answers `{version}` |
| Model push/pull write path open | critical | anonymous `POST /api/pull` accepted (not 401/403) |
| Model inventory leak | high | anonymous `GET /api/tags` returns every model |
| Running models / VRAM leak | high | anonymous `GET /api/ps` returns loaded models |
| CORS reflects arbitrary Origin | high | a foreign `Origin` is echoed in `Access-Control-Allow-Origin` |
| Free inference (compute theft) | high | anonymous `POST /api/generate` accepted |
| Version disclosure | medium | `/api/version` reveals the exact build for CVE matching |
The write-path probes (`/api/pull`, `/api/generate`) are sent with empty/`num_predict=1`
payloads so the tool **never downloads a model or runs a real workload** β a `200`
or `400` proves the endpoint is open; `401`/`403`/`404` means it's protected.
## Usage
```bash
# Probe a live instance
npx ollama-security --url http://your-host:11434
# Bare host works too (defaults to http:// and port 11434)
npx ollama-security --url your-host
# Write a shareable HTML report
npx ollama-security --url http://your-host:11434 --html report.html
# Static only (no requests sent) β just list the checks
npx ollama-security --url http://your-host:11434 --no-probe
```
Output is JSON on stdout (pipe it into CI) and a one-line summary on stderr.
Exit is non-zero only on usage errors β gate your pipeline on the JSON `summary`.
## The fix, in one line
```bash
# bind Ollama to localhost only, then firewall 11434 / front it with an authed proxy
export OLLAMA_HOST=127.0.0.1
# and never set OLLAMA_ORIGINS=* on a public box
```
## Install (optional)
```bash
npm i -g ollama-security
ollama-security --url http://your-host:11434
```
Zero dependencies. Your data and credentials never leave your machine β every
request goes straight from the tool to your Ollama server.
## Sister tools
Same active-probe philosophy for the rest of the stack, all MIT:
[supabase-security](https://github.com/Perufitlife/supabase-security-skill) Β·
[pocketbase-security](https://github.com/Perufitlife/pocketbase-security-skill) Β·
[firebase-security](https://github.com/Perufitlife/firebase-security-skill) Β·
[appwrite-security](https://github.com/Perufitlife/appwrite-security-skill) Β·
[nhost-security](https://github.com/Perufitlife/nhost-security-skill) Β·
[strapi-security](https://github.com/Perufitlife/strapi-security) Β·
[directus-security](https://github.com/Perufitlife/directus-security)
## License
MIT Β© [Renzo Madueno](https://github.com/Perufitlife)
---
π Part of [**Awesome Backend Security Auditors**](https://github.com/Perufitlife/awesome-backend-security) β the full collection of keyless active-probe auditors.