CVE-2024-8063 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

If your organization runs ollama for local or internal LLM inference, this is a zero-authentication crash vulnerability — any network-reachable ollama instance can be taken down by uploading a crafted GGUF model file. Update to a patched version immediately and restrict the ollama API (port 11434) to trusted internal users only. This is especially urgent for teams where ollama backs production AI agents or internal tooling with uptime requirements.

Risk Assessment

High exploitability: CVSS 7.5, network-accessible, no authentication required, no user interaction needed. Impact is limited to availability (no confidentiality or integrity loss), but ollama is widely deployed in enterprise AI stacks as a local inference backend. Default ollama installations expose the API on all interfaces without authentication, making internet-exposed or broadly accessible internal instances immediately vulnerable. Blast radius scales with how many AI-dependent workflows depend on the crashed instance.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ollama	pip	—	No patch
170.6K 1.4K dependents Pushed 6d ago 4% patched ~0d to patch Full package profile →

Do you use ollama? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

PATCH

Upgrade ollama to the latest version (>v0.3.3) immediately.
NETWORK

Firewall port 11434 — bind ollama to 127.0.0.1 only unless remote access is required (OLLAMA_HOST=127.0.0.1).
AUTH

Place a reverse proxy with authentication (nginx + basic auth or mTLS) in front of any network-exposed ollama instance.
INPUT VALIDATION

Only allow model imports from trusted, verified sources — enforce an internal model registry.
MONITORING

Alert on unexpected ollama process restarts or crash loops, which may indicate exploitation attempts.
DETECTION

Log all /api/pull and model import requests; anomalous block_count values in GGUF metadata should trigger investigation.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Supply Chain Inference Model Framework AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application AML.T0076 - Corrupt AI Model

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.3 - AI system operation and monitoring

NIST AI RMF

MANAGE-4.1 - Residual risks are managed

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-8063?

If your organization runs ollama for local or internal LLM inference, this is a zero-authentication crash vulnerability — any network-reachable ollama instance can be taken down by uploading a crafted GGUF model file. Update to a patched version immediately and restrict the ollama API (port 11434) to trusted internal users only. This is especially urgent for teams where ollama backs production AI agents or internal tooling with uptime requirements.

Is CVE-2024-8063 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-8063, increasing the risk of exploitation.

How to fix CVE-2024-8063?

1. PATCH: Upgrade ollama to the latest version (>v0.3.3) immediately. 2. NETWORK: Firewall port 11434 — bind ollama to 127.0.0.1 only unless remote access is required (`OLLAMA_HOST=127.0.0.1`). 3. AUTH: Place a reverse proxy with authentication (nginx + basic auth or mTLS) in front of any network-exposed ollama instance. 4. INPUT VALIDATION: Only allow model imports from trusted, verified sources — enforce an internal model registry. 5. MONITORING: Alert on unexpected ollama process restarts or crash loops, which may indicate exploitation attempts. 6. DETECTION: Log all `/api/pull` and model import requests; anomalous `block_count` values in GGUF metadata should trigger investigation.

What systems are affected by CVE-2024-8063?

This vulnerability affects the following AI/ML architecture patterns: LLM inference servers, RAG pipelines, agent frameworks, local AI deployment, model serving.

What is the CVSS score for CVE-2024-8063?

CVE-2024-8063 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for `block_count` in the Modelfile. This can lead to a denial of service (DoS) condition when the server processes the model, causing it to crash.

Exploitation Scenario

An adversary identifies an internal ollama deployment (e.g., via port scan on 11434 or via supply-chain access to a developer machine). They craft a GGUF model file with an invalid or unexpected data type for the `block_count` field in the model metadata. Without authentication, they POST the malicious model to the ollama `/api/pull` or model import endpoint. The server attempts to parse the GGUF metadata, performs an arithmetic operation using the malformed `block_count` value, hits a divide-by-zero, and crashes. All AI services dependent on that ollama instance go offline. The attacker can repeat this to maintain a persistent DoS if the endpoint remains open and unpatched.