CVE-2024-12055

CVE-2024-12055 is a vulnerability in Ollama versions up to and including 0.3.14, stemming from an out-of-bounds read in the gguf.go file and classified under CWE-125. This flaw allows a malicious user to create a customized GGUF model file that can be uploaded to a public Ollama server. When the server processes the malicious model, it crashes, resulting in a Denial of Service (DoS) condition. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact.

Any unauthenticated attacker with network access can exploit this vulnerability due to its lack of prerequisite privileges or user interaction. By crafting and uploading the malicious GGUF model file to the public Ollama server, the attacker triggers the out-of-bounds read during model processing, causing the server to crash and disrupting service availability for all users.

For mitigation details, security practitioners should consult the advisory referenced at https://huntr.com/bounties/7b111d55-8215-4727-8807-c5ed4cf1bfbe, which documents the issue discovered through a bug bounty program. Upgrading to Ollama versions beyond 0.3.14 is implied as a resolution based on the affected version scope.