CVE-2024-12055 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2024-12055 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-12055, increasing the risk of exploitation.

Q: How to fix CVE-2024-12055?

1. PATCH: Upgrade Ollama to a version >0.3.14 immediately—this is the primary fix. 2. RESTRICT API ACCESS: Place Ollama behind a reverse proxy (nginx/Caddy) with authentication required before any API call reaches the service. 3. BLOCK MODEL UPLOADS: If model upload/creation is not required, block /api/push and model create endpoints at the network layer or via proxy ACLs. 4. NETWORK SEGMENTATION: Ollama should never be directly internet-exposed; bind to localhost or internal network interfaces only, enforce VPN access. 5. DETECT: Monitor for repeated unexpected Ollama process crashes or restarts as a potential exploitation indicator—alert on more than 2 restarts within 10 minutes. 6. AUDIT: Inventory all Ollama deployments including developer laptops, test environments, and CI/CD pipelines that may run with default insecure configurations.

CISO Take

Any public-facing Ollama instance on version <=0.3.14 can be crashed with a single unauthenticated model upload, taking down all LLM inference on that server. Upgrade to the latest Ollama release immediately and restrict the model upload API to authenticated users only. If running Ollama in shared or production environments, treat this as critical until patched.

Risk Assessment

High severity (CVSS 7.5) with network-accessible attack vector, zero authentication required, and trivial exploitation. Ollama is widely deployed in enterprise AI development and self-hosted inference stacks—often with default configurations that expose the API without authentication on internal networks or inadvertently to the internet. While not in CISA KEV and no confirmed active exploitation at time of writing, the near-zero exploitation barrier and broad deployment footprint make this a high-priority patch target. Impact is limited to availability—no confidentiality or integrity compromise—but sustained DoS of inference services can disrupt AI-dependent business processes.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ollama	pip	—	No patch
170.6K 1.4K dependents Pushed 6d ago 4% patched ~0d to patch Full package profile →

Do you use ollama? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 19% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

PATCH

Upgrade Ollama to a version >0.3.14 immediately—this is the primary fix.
RESTRICT API ACCESS

Place Ollama behind a reverse proxy (nginx/Caddy) with authentication required before any API call reaches the service.
BLOCK MODEL UPLOADS

If model upload/creation is not required, block /api/push and model create endpoints at the network layer or via proxy ACLs.
NETWORK SEGMENTATION

Ollama should never be directly internet-exposed; bind to localhost or internal network interfaces only, enforce VPN access.
DETECT

Monitor for repeated unexpected Ollama process crashes or restarts as a potential exploitation indicator—alert on more than 2 restarts within 10 minutes.
AUDIT

Inventory all Ollama deployments including developer laptops, test environments, and CI/CD pipelines that may run with default insecure configurations.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Supply Chain Inference Model Framework AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application AML.T0076 - Corrupt AI Model

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.2 - AI system availability and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain deployment and operation of the AI system

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-12055?

Any public-facing Ollama instance on version <=0.3.14 can be crashed with a single unauthenticated model upload, taking down all LLM inference on that server. Upgrade to the latest Ollama release immediately and restrict the model upload API to authenticated users only. If running Ollama in shared or production environments, treat this as critical until patched.

Is CVE-2024-12055 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-12055, increasing the risk of exploitation.

How to fix CVE-2024-12055?

1. PATCH: Upgrade Ollama to a version >0.3.14 immediately—this is the primary fix. 2. RESTRICT API ACCESS: Place Ollama behind a reverse proxy (nginx/Caddy) with authentication required before any API call reaches the service. 3. BLOCK MODEL UPLOADS: If model upload/creation is not required, block /api/push and model create endpoints at the network layer or via proxy ACLs. 4. NETWORK SEGMENTATION: Ollama should never be directly internet-exposed; bind to localhost or internal network interfaces only, enforce VPN access. 5. DETECT: Monitor for repeated unexpected Ollama process crashes or restarts as a potential exploitation indicator—alert on more than 2 restarts within 10 minutes. 6. AUDIT: Inventory all Ollama deployments including developer laptops, test environments, and CI/CD pipelines that may run with default insecure configurations.

What systems are affected by CVE-2024-12055?

This vulnerability affects the following AI/ML architecture patterns: LLM inference serving, self-hosted AI infrastructure, model serving, agent frameworks, RAG pipelines.

What is the CVSS score for CVE-2024-12055?

CVE-2024-12055 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. When the server processes this malicious model, it crashes, leading to a Denial of Service (DoS) attack. The root cause of the issue is an out-of-bounds read in the gguf.go file.

Exploitation Scenario

An adversary identifies a public-facing or network-accessible Ollama instance via Shodan/Censys scanning for the default port 11434. Requiring zero credentials, they craft a malformed GGUF model file with an invalid header or tensor metadata section designed to trigger the out-of-bounds read in gguf.go during parsing. They upload the file via the standard Ollama API model creation endpoint. When the server processes the malicious GGUF file, the out-of-bounds read causes an immediate process crash. All LLM inference is unavailable for every user and application depending on that endpoint. On container auto-restart, the attacker simply re-uploads the file to sustain the outage indefinitely. The entire attack requires only basic knowledge of the GGUF file format and a single HTTP request.