Out-Of-Memory Vulnerability in ollama Server by ollama
CVE-2024-12886

7.5HIGH

Key Information:

Vendor: Ollama
Status: Ollama/ollama
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-12886?

An Out-Of-Memory (OOM) vulnerability has been identified in the ollama server, specifically in version 0.3.14. This issue can be exploited when an attacker sends a maliciously crafted HTTP response, known as a gzip bomb, to the server API. The vulnerability resides in the makeRequestWithRetry and getAuthorizationToken functions, both of which use io.ReadAll for reading response bodies. This design flaw may lead to excessive memory consumption, ultimately resulting in a service crash and a Denial of Service (DoS) condition.

Affected Version(s)

ollama/ollama <= unspecified

References

https://huntr.com/bounties/f115fe52-58af-4844-ad29-b1c25f...

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Dec 20, 2024

Ollama

What is CVE-2024-12886?

Affected Version(s)

References

CVSS V3.0

Timeline