CVE-2024-12886: Ollama Vulnerable to Denial of Service (DoS) via Crafted GZIP

March 20, 2025 (updated March 21, 2025)

An Out-Of-Memory (OOM) vulnerability exists in the ollama server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the ollama server crashing. The vulnerability is present in the makeRequestWithRetry and getAuthorizationToken functions, which use io.ReadAll to read the response body. This can result in excessive memory usage and a Denial of Service (DoS) condition.

References

github.com/advisories/GHSA-v464-r2r9-www7
github.com/ollama/ollama
huntr.com/bounties/f115fe52-58af-4844-ad29-b1c25f7245df
nvd.nist.gov/vuln/detail/CVE-2024-12886

Code Behaviors & Features

Detect and mitigate CVE-2024-12886 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →