CVE-2024-8063
Published: 20 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2024-8063, published on 2025-03-20, is a divide by zero vulnerability (CWE-369) affecting ollama/ollama version v0.3.3. The issue arises during the import of GGUF models when a crafted type is specified for the `block_count` parameter in the Modelfile. Processing such a model by the server triggers the vulnerability, resulting in a denial of service (DoS) condition due to a crash. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability is exploitable by any unauthenticated remote attacker with network access to the Ollama server. By providing a specially crafted GGUF model via a Modelfile, the attacker can induce a server crash during model import and processing, achieving a denial of service that disrupts availability without impacting confidentiality or integrity.
Advisories and mitigation details are available in the Huntr bounty report at https://huntr.com/bounties/fd8e1ed6-21d2-4c9e-8395-2098f11b7db9.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Ollama is an open-source platform for running large language models (LLMs) locally, including model import and inference via an API. The vulnerability affects model import (GGUF/Modelfile processing), which is core to its AI/ML functionality.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The divide-by-zero vulnerability in Ollama allows exploitation to crash the server during model import, enabling endpoint denial of service via application exploitation.