AI Threat Alert

CVE-2024-8063: ollama: divide-by-zero DoS via crafted GGUF model import

HIGH PoC AVAILABLE CISA: TRACK*
Published March 20, 2025
CISO Take

If your organization runs ollama for local or internal LLM inference, this is a zero-authentication crash vulnerability — any network-reachable ollama instance can be taken down by uploading a crafted GGUF model file. Update to a patched version immediately and restrict the ollama API (port 11434) to trusted internal users only. This is especially urgent for teams where ollama backs production AI agents or internal tooling with uptime requirements.

What is the risk?

High exploitability: CVSS 7.5, network-accessible, no authentication required, no user interaction needed. Impact is limited to availability (no confidentiality or integrity loss), but ollama is widely deployed in enterprise AI stacks as a local inference backend. Default ollama installations expose the API on all interfaces without authentication, making internet-exposed or broadly accessible internal instances immediately vulnerable. Blast radius scales with how many AI-dependent workflows depend on the crashed instance.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Ollama pip No patch
174.6K 1.6K dependents Pushed 3d ago 12% patched ~0d to patch Full package profile →

Do you use Ollama? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 44% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

6 steps

  1. PATCH

    Upgrade ollama to the latest version (>v0.3.3) immediately.

  2. NETWORK

    Firewall port 11434 — bind ollama to 127.0.0.1 only unless remote access is required (OLLAMA_HOST=127.0.0.1).

  3. AUTH

    Place a reverse proxy with authentication (nginx + basic auth or mTLS) in front of any network-exposed ollama instance.

  4. INPUT VALIDATION

    Only allow model imports from trusted, verified sources — enforce an internal model registry.

  5. MONITORING

    Alert on unexpected ollama process restarts or crash loops, which may indicate exploitation attempts.

  6. DETECTION

    Log all /api/pull and model import requests; anomalous block_count values in GGUF metadata should trigger investigation.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Supply Chain Inference Model Framework AML.T0011.000 AML.T0029 AML.T0049 AML.T0076

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.3 - AI system operation and monitoring
NIST AI RMF
MANAGE-4.1 - Residual risks are managed
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-8063?

If your organization runs ollama for local or internal LLM inference, this is a zero-authentication crash vulnerability — any network-reachable ollama instance can be taken down by uploading a crafted GGUF model file. Update to a patched version immediately and restrict the ollama API (port 11434) to trusted internal users only. This is especially urgent for teams where ollama backs production AI agents or internal tooling with uptime requirements.

Is CVE-2024-8063 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-8063, increasing the risk of exploitation.

How to fix CVE-2024-8063?

1. PATCH: Upgrade ollama to the latest version (>v0.3.3) immediately. 2. NETWORK: Firewall port 11434 — bind ollama to 127.0.0.1 only unless remote access is required (`OLLAMA_HOST=127.0.0.1`). 3. AUTH: Place a reverse proxy with authentication (nginx + basic auth or mTLS) in front of any network-exposed ollama instance. 4. INPUT VALIDATION: Only allow model imports from trusted, verified sources — enforce an internal model registry. 5. MONITORING: Alert on unexpected ollama process restarts or crash loops, which may indicate exploitation attempts. 6. DETECTION: Log all `/api/pull` and model import requests; anomalous `block_count` values in GGUF metadata should trigger investigation.

What systems are affected by CVE-2024-8063?

This vulnerability affects the following AI/ML architecture patterns: LLM inference servers, RAG pipelines, agent frameworks, local AI deployment, model serving.

What is the CVSS score for CVE-2024-8063?

CVE-2024-8063 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.59%.

What is the AI security impact?

Affected AI Architectures

LLM inference serversRAG pipelinesagent frameworkslocal AI deploymentmodel serving

MITRE ATLAS Techniques

AML.T0011.000 Unsafe AI Artifacts
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application
AML.T0076 Corrupt AI Model

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: A.10.3
NIST AI RMF: MANAGE-4.1
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for `block_count` in the Modelfile. This can lead to a denial of service (DoS) condition when the server processes the model, causing it to crash.

Exploitation Scenario

An adversary identifies an internal ollama deployment (e.g., via port scan on 11434 or via supply-chain access to a developer machine). They craft a GGUF model file with an invalid or unexpected data type for the `block_count` field in the model metadata. Without authentication, they POST the malicious model to the ollama `/api/pull` or model import endpoint. The server attempts to parse the GGUF metadata, performs an arithmetic operation using the malformed `block_count` value, hits a divide-by-zero, and crashes. All AI services dependent on that ollama instance go offline. The attacker can repeat this to maintain a persistent DoS if the endpoint remains open and unpatched.

Weaknesses (CWE)

CWE-369 Divide By Zero

CWE-369 — Divide By Zero: The product divides a value by zero.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
March 20, 2025
Last Modified
May 13, 2025
First Seen
March 20, 2025

Related Vulnerabilities

CRITICAL CVE-2026-46339 10.0

9router: unauthenticated RCE exposes LLM API keys

Same package: ollama
CRITICAL CVE-2026-42249 9.8

Ollama: path traversal + unsigned update = silent RCE

Same package: ollama
CRITICAL CVE-2026-42248 9.8

Ollama: silent auto-update bypasses signature check on Windows

Same package: ollama
CRITICAL CVE-2025-63389 9.8

ollama: Missing Auth allows unauthenticated access

Same package: ollama
CRITICAL CVE-2026-7482 9.1

Ollama: heap OOB read leaks API keys and chat data

Same package: ollama
Back to Threat Feed