Full Report
FuzzingLabs has accused the YCombinator-backed startup, Gecko Security, of replicating its vulnerability disclosures. Gecko allegedly filed for 2 CVEs based on FuzzingLabs' reports without crediting them. Gecko denies any wrongdoing, calling the allegations a misunderstanding over disclosure process. [...]
Analysis Summary
This situation involves a dispute over vulnerability disclosure credit rather than a report detailing a specific, exploitable technical flaw with full details regarding impact and patching across all affected systems. The summary below reflects the information available regarding the two *disputed* CVEs.
# Vulnerability: Disputed Credit for Ollama and Gradio Vulnerabilities
## CVE Details
- CVE ID: CVE-2025-51471 (Ollama) / CVE-2025-48889 (Gradio)
- CVSS Score: Not specified in the text.
- CWE: Not specified in the text.
## Affected Systems
- Products: Ollama, Gradio
- Versions: Specific vulnerable versions were not detailed, only that multiple versions of these products were affected.
- Configurations: Not specified.
## Vulnerability Description
The text refers to two separate vulnerabilities initially reported by FuzzingLabs:
1. **CVE-2025-51471 (Ollama):** Authentication token stealing vulnerability in the Ollama server.
2. **CVE-2025-48889 (Gradio):** Arbitrary file copy and Denial of Service (DoS) via the Gradio flagging mechanism.
The primary focus of the article is the dispute between FuzzingLabs and Gecko Security over who discovered and disclosed these flaws first, and credit assignment for the resulting CVEs.
## Exploitation
- Status: The text implies PoCs exist as FuzzingLabs alleges Gecko "copied the PoCs." Exploitation in the wild is **unknown**.
- Complexity: **Unknown**, but based on the type of vulnerabilities (token stealing, file copy/DoS), complexity is likely Low to Medium depending on network access.
- Attack Vector: **Unknown**, but likely Network given the product types (server components).
## Impact
- Confidentiality: **High** (for CVE-2025-51471, involving token stealing).
- Integrity: **High** (for CVE-2025-48889, involving arbitrary file copy).
- Availability: **High** (for CVE-2025-48889, involving DoS).
## Remediation
### Patches
- Patches are likely available from the respective product maintainers (Ollama and Gradio) as CVEs have been assigned. *Specific patch versions are not listed in the source text.*
### Workarounds
- No specific official workarounds were mentioned in the context of the dispute, other than the general need for updates/patches.
## Detection
- **Indicators of Compromise:** Not specified.
- **Detection methods and tools:** Not specified. Detection would rely on monitoring for the specific exploit payloads related to token theft or file system manipulation within the respective applications.
## References
- Vendor Advisories: GitHub has updated advisories to properly credit FuzzingLabs' original reports (e.g., GHSA-8jw3-v96g for Gradio).
- Relevant links - defanged:
- FuzzingLabs Allegations Post: hxxps://x[.]com/FuzzingLabs/status/1977720899114606745
- Ollama Original Report (Huntr): hxxps://huntr[.]dev/bounties/94eea285-fd65-4e01-a035-f533575ebdc2
- Gradio Original Report (Huntr): hxxps://huntr[.]dev/bounties/a50de58d-fbf5-4662-bf5c-2b1208be57d8
- FuzzingLabs Detailed Findings: hxxps://www[.]notion[.]site/fuzzinglabs/Gecko-Security-STOLEN-CVEs-28b2bf1235b380d8aa92d9935f21a874