CVE-2025-1975 Overview
A Denial of Service (DoS) vulnerability exists in Ollama server version 0.5.11 that allows malicious users to crash the server through improper validation of array index access. The vulnerability is triggered when downloading a model via the /api/pull endpoint, where an attacker can customize manifest content and spoof a service to cause improper array index access, resulting in a complete server crash.
Critical Impact
Remote attackers can cause service disruption by exploiting improper array bounds checking during model download operations, potentially affecting AI/ML workloads relying on Ollama infrastructure.
Affected Products
- Ollama version 0.5.11
- Ollama server deployments with exposed /api/pull endpoint
- Systems running Ollama with network-accessible API interfaces
Discovery Timeline
- 2025-05-16 - CVE-2025-1975 published to NVD
- 2025-06-24 - Last updated in NVD database
Technical Details for CVE-2025-1975
Vulnerability Analysis
This vulnerability (CWE-129: Improper Validation of Array Index) occurs in the model download functionality of the Ollama server. When processing requests to the /api/pull endpoint, the server fails to properly validate array index boundaries when parsing manifest content. This allows an attacker to craft malicious manifest data that references out-of-bounds array indices, triggering an unhandled exception that crashes the server process.
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for publicly exposed Ollama instances. The impact is limited to availability—no data confidentiality or integrity compromise occurs—but service disruption can be significant for organizations relying on Ollama for AI/ML inference workloads.
Root Cause
The root cause is improper validation of array index access within the model manifest parsing logic. When the Ollama server processes a model pull request, it parses manifest content that contains array structures. The code fails to verify that array indices referenced in the manifest are within valid bounds before attempting to access them. This classic bounds checking error (CWE-129) allows attackers to supply manifest data with malicious index values that cause the application to access memory outside allocated array boundaries, resulting in a crash.
Attack Vector
The attack vector is network-based, targeting the /api/pull endpoint exposed by the Ollama server. An attacker can exploit this vulnerability by:
- Setting up a malicious service that responds with crafted manifest content
- Spoofing or redirecting model download requests to the malicious service
- Including manifest data with array indices that exceed valid bounds
- Triggering the server to process this malicious manifest during a pull operation
The vulnerability requires the attacker to have network access to the Ollama API endpoint. No privileges or user interaction are required, making this a straightforward remote DoS attack.
For technical details about the vulnerability mechanism, refer to the Huntr Bug Bounty Report.
Detection Methods for CVE-2025-1975
Indicators of Compromise
- Unexpected Ollama server crashes or restarts during model download operations
- Error logs indicating array index out-of-bounds exceptions or segmentation faults
- Anomalous requests to the /api/pull endpoint from untrusted sources
- Network connections to unknown or suspicious model registries
Detection Strategies
- Monitor Ollama server logs for crash events correlated with /api/pull requests
- Implement network-level detection for unusual model pull requests from external sources
- Deploy application crash monitoring to detect repeated DoS attempts
- Use endpoint detection to identify patterns of service disruption targeting AI/ML infrastructure
Monitoring Recommendations
- Enable verbose logging on Ollama server instances to capture request details before crashes
- Implement health checks with alerting for Ollama service availability
- Monitor network traffic to and from Ollama servers for connections to untrusted model sources
- Track server restart frequency as an indicator of potential exploitation attempts
How to Mitigate CVE-2025-1975
Immediate Actions Required
- Restrict network access to the Ollama API endpoint using firewall rules or network segmentation
- Implement authentication and authorization controls for the /api/pull endpoint
- Configure Ollama to only pull models from trusted, verified registries
- Deploy a reverse proxy with request validation in front of Ollama servers
Patch Information
Organizations should monitor the official Ollama project for security updates addressing this vulnerability. Check the Huntr Bug Bounty Report for the latest remediation guidance and patch availability. Upgrade from version 0.5.11 to a patched version as soon as one becomes available.
Workarounds
- Restrict /api/pull endpoint access to trusted internal networks only
- Implement network-level controls to prevent connections to untrusted model registries
- Use application-level firewalls to validate and sanitize incoming API requests
- Deploy Ollama behind an authenticated API gateway to prevent unauthorized access
# Example: Restrict Ollama API access using iptables
# Allow only trusted internal network to access Ollama API (default port 11434)
iptables -A INPUT -p tcp --dport 11434 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 11434 -j DROP
# Alternative: Use firewalld to restrict access
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" port protocol="tcp" port="11434" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="tcp" port="11434" reject'
firewall-cmd --reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
