Out-Of-Memory Vulnerability in ollama Server by ollama
CVE-2024-12886

7.5HIGH

Key Information:

Vendor

Ollama

Vendor
CVE Published:
20 March 2025

What is CVE-2024-12886?

An Out-Of-Memory (OOM) vulnerability has been identified in the ollama server, specifically in version 0.3.14. This issue can be exploited when an attacker sends a maliciously crafted HTTP response, known as a gzip bomb, to the server API. The vulnerability resides in the makeRequestWithRetry and getAuthorizationToken functions, both of which use io.ReadAll for reading response bodies. This design flaw may lead to excessive memory consumption, ultimately resulting in a service crash and a Denial of Service (DoS) condition.

Affected Version(s)

ollama/ollama <= unspecified

References

CVSS V3.0

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.