CVE-2024-12886

EPSS 0.67%
Veröffentlicht 20.03.2025 10:10:28
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

Out-Of-Memory (OOM) Vulnerability in ollama/ollama

An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the `ollama` server crashing. The vulnerability is present in the `makeRequestWithRetry` and `getAuthorizationToken` functions, which use `io.ReadAll` to read the response body. This can result in excessive memory usage and a Denial of Service (DoS) condition.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerollama

≫

Produkt ollama/ollama

Version <= latest

Version unspecified

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.67%	0.472

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

https://huntr.com/bounties/f115fe52-58af-4844-ad29-b1c25f7245df

https://nvd.nist.gov/vuln/detail/CVE-2024-12886

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-12886

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-12886

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-12886