GHSA-v464-r2r9-www7

Suggest an improvement
Source
https://github.com/advisories/GHSA-v464-r2r9-www7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-v464-r2r9-www7/GHSA-v464-r2r9-www7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v464-r2r9-www7
Aliases
Published
2025-03-20T12:32:44Z
Modified
2025-03-31T17:44:33.215400Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Ollama Vulnerable to Denial of Service (DoS) via Crafted GZIP
Details

An Out-Of-Memory (OOM) vulnerability exists in the ollama server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the ollama server crashing. The vulnerability is present in the makeRequestWithRetry and getAuthorizationToken functions, which use io.ReadAll to read the response body. This can result in excessive memory usage and a Denial of Service (DoS) condition.

Database specific 
{
    "nvd_published_at": "2025-03-20T10:15:31Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T17:25:07Z"
}
References

Affected packages

Go / github.com/ollama/ollama

Package

Name
github.com/ollama/ollama
View open source insights on deps.dev
Purl
pkg:golang/github.com/ollama/ollama

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.3.14