Full Report
FuzzingLabs has accused the YCombinator-backed startup, Gecko Security, of replicating its vulnerability disclosures. Gecko allegedly filed for 2 CVEs based on FuzzingLabs' reports without crediting them. Gecko denies any wrongdoing, calling the allegations a misunderstanding over disclosure process. [...]
Analysis Summary
# Vulnerability: Disclosure Dispute Involving Ollama and Gradio Flaws
This document summarizes vulnerabilities cited within a dispute regarding vulnerability disclosure credit between FuzzingLabs and Gecko Security. Specific technical details, severity, and precise remediation steps for the underlying flaws (CVE-2025-51471 and CVE-2025-48889) are not fully contained in this summary, only their existence within the dispute context.
## CVE Details
- CVE ID: CVE-2025-51471 (Ollama)
- CVE ID: CVE-2025-48889 (Gradio)
- CVSS Score: Not specified in the article.
- CWE: Not specified in the article.
## Affected Systems
- Products: Ollama, Gradio
- Versions: Vulnerable versions are implied but not explicitly listed (affecting the version where the token stealing/file copy occurred).
- Configurations: N/A
## Vulnerability Description
The dispute centers around two specific security flaws discovered and subsequently credited (or disputed for credit) between the two firms:
1. **Ollama:** Authentication token stealing vulnerability concerning the Ollama server.
2. **Gradio:** Arbitrary file copy and Denial of Service (DoS) vulnerability via the flagging mechanism in Gradio.
## Exploitation
- Status: PoCs for both vulnerabilities were allegedly copied by one party from the other, indicating functionality was demonstrated.
- Complexity: Implied low to medium based on the nature of the reported flaws (token stealing, file copy/DoS), though complexity scores are unavailable.
- Attack Vector: Not explicitly stated, but token stealing implies network access; arbitrary file copy often suggests remote or local context depending on service privileges.
## Impact
Impact details (Confidentiality, Integrity, Availability) are inherent to the vulnerability descriptions but a standardized CVSS rating breakdown is not provided:
- **Ollama Token Stealing:** Likely High Impact on Confidentiality and possibly Integrity.
- **Gradio File Copy/DoS:** High Impact on Integrity (arbitrary file copy) and Availability (DoS).
## Remediation
### Patches
- Patches are assumed to exist or be forthcoming from the respective project maintainers (Ollama and Gradio), but specific patch versions are not listed in this summary context.
### Workarounds
- No specific technical workarounds are mentioned in the context of the disclosure dispute.
## Detection
- No specific Indicators of Compromise (IOCs) were provided related to exploitation, only the timeline of disclosure disputes.
## References
- Vendor advisories are not explicitly linked, but GitHub security advisories were updated.
- [FuzzingLabs Allegation Summary](https://notion.so/fuzzinglabs/Gecko-Security-STOLEN-CVEs-28b2bf1235b380d8aa92d9935f21a874) (Note: This link is descriptive, not defanged for security reasons).
- [Gecko Security Blog Post (Edited)](https://www.gecko.security/blog/cve-2025-51471) (Note: This link is descriptive, not defanged for security reasons).