npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ollama-security

v0.1.0

Published

Audit any Ollama server for the misconfiguration that leaks compute and models — a public API bound with no auth — and PROVE it live with an anonymous probe of /api/tags, /api/ps, /api/version and CORS reflection. Zero deps, no keys.

Downloads

153

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

renzom13renzom13

Keywords

ollamasecuritysecurity-auditllmlocal-llmlocal-aiauditordevsecopsai-agentscorsexposurellm-security

Readme

ollama-security

Audit any Ollama server for the one misconfiguration that actually leaks compute and models — a public API bound with no authentication — and prove it live with an anonymous probe of /api/tags, /api/ps, /api/version, /api/generate and CORS reflection. Other checklists tell you what might be wrong; this fetches the bytes and shows you what is.

Run it in one line, no token, no install:

npx ollama-security --url http://your-host:11434

🤝 Want it done for you? Fixed-scope audit — $99 / 24h: I verify each finding live and send a written report with the exact config fixes.

npm downloads license node deps

$ npx ollama-security --url http://10.0.0.5:11434
2 critical, 4 high, 1 medium — 7 CONFIRMED via anonymous probe
  CRITICAL  /api/version    Ollama API reachable with no authentication (v0.5.1)
  CRITICAL  /api/pull       anonymous model push/pull reachable — model theft + RCE chain
  HIGH      /api/tags       full model inventory leaked — 11 models reachable
  HIGH      /api/ps         running models + VRAM exposed
  HIGH      CORS            Origin reflected → any website can drive your Ollama
  HIGH      /api/generate   anonymous inference accepted — free GPU / compute theft

Why this exists

Ollama is the default way to run local LLMs — and it ships with no authentication on port 11434 (CNVD-2025-04094). If OLLAMA_HOST is bound to 0.0.0.0 and the port is reachable, anyone who finds it has full control of your models and your GPU.

This is not theoretical. In February 2026, ~175,000 Ollama instances were found exposed with zero auth (LeakIX / the Cisco–Shodan study). The documented abuse is brutal: model theft via pull/push, free inference on your hardware, and proven RCE chains — in June 2026 Sysdig caught an attacker using an exposed Ollama as a malware brain.

ollama-security checks for these and confirms the real ones by issuing the exact anonymous request an attacker would — so you triage facts, not maybes. If your server isn't anonymously reachable, it tells you so and exits clean.

What it checks

| Check | Severity | How it's confirmed | |---|---|---| | API reachable with no auth | critical | anonymous GET /api/version answers {version} | | Model push/pull write path open | critical | anonymous POST /api/pull accepted (not 401/403) | | Model inventory leak | high | anonymous GET /api/tags returns every model | | Running models / VRAM leak | high | anonymous GET /api/ps returns loaded models | | CORS reflects arbitrary Origin | high | a foreign Origin is echoed in Access-Control-Allow-Origin | | Free inference (compute theft) | high | anonymous POST /api/generate accepted | | Version disclosure | medium | /api/version reveals the exact build for CVE matching |

The write-path probes (/api/pull, /api/generate) are sent with empty/num_predict=1 payloads so the tool never downloads a model or runs a real workload — a 200 or 400 proves the endpoint is open; 401/403/404 means it's protected.

Usage

# Probe a live instance
npx ollama-security --url http://your-host:11434

# Bare host works too (defaults to http:// and port 11434)
npx ollama-security --url your-host

# Write a shareable HTML report
npx ollama-security --url http://your-host:11434 --html report.html

# Static only (no requests sent) — just list the checks
npx ollama-security --url http://your-host:11434 --no-probe

Output is JSON on stdout (pipe it into CI) and a one-line summary on stderr. Exit is non-zero only on usage errors — gate your pipeline on the JSON summary.

The fix, in one line

# bind Ollama to localhost only, then firewall 11434 / front it with an authed proxy
export OLLAMA_HOST=127.0.0.1
# and never set OLLAMA_ORIGINS=* on a public box

Install (optional)

npm i -g ollama-security
ollama-security --url http://your-host:11434

Zero dependencies. Your data and credentials never leave your machine — every request goes straight from the tool to your Ollama server.

Sister tools

Same active-probe philosophy for the rest of the stack, all MIT:

supabase-security · pocketbase-security · firebase-security · appwrite-security · nhost-security · strapi-security · directus-security

License

MIT © Renzo Madueno