Ollama <= 0.3.14 Multiple Vulnerabilities

high Nessus Plugin ID 233434

Synopsis

The Ollama instance installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Ollama installed on the remote host is prior or equal to 0.3.14. It is, therefore, affected by multiple vulnerabilities, including the following:

- A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model file on the Ollama server. This can lead to a division by zero error in the ggufPadding function, causing the server to crash and resulting in a Denial of Service (DoS) attack. (CVE-2025-0317)
- A vulnerability in ollama/ollama <=0.3.14 allows a malicious user to create a customized GGUF model file, upload it to the Ollama server, and create it. This can cause the server to allocate unlimited memory, leading to a Denial of Service (DoS) attack. (CVE-2025-0315)

- A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. When the server processes this malicious model, it crashes, leading to a Denial of Service (DoS) attack. The root cause of the issue is an out-of-bounds read in the gguf.go file. (CVE-2024-12055)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade Ollama to a version later than 0.3.14.

See Also

https://huntr.com/bounties/a9951bca-9bd8-49b2-b143-4cd4219f9fa0

https://huntr.com/bounties/da414d29-b55a-496f-b135-17e0fcec67bc

https://huntr.com/bounties/f115fe52-58af-4844-ad29-b1c25f7245df

https://huntr.com/bounties/7b111d55-8215-4727-8807-c5ed4cf1bfbe

Plugin Details

Severity: High

ID: 233434

File Name: ollama_0_3_14.nasl

Version: 1.1

Type: local

Agent: windows, macosx, unix

Published: 3/28/2025

Updated: 3/28/2025

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2024-12055

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: cpe:/a:ollama:ollama

Patch Publication Date: 3/20/2025

Vulnerability Publication Date: 3/20/2025

Reference Information

CVE: CVE-2024-12055, CVE-2024-12886, CVE-2025-0315, CVE-2025-0317

IAVB: 2025-B-0041