AI Threat Alert

CVE-2025-1975: Ollama: DoS via malicious manifest in /api/pull

UNKNOWN PoC AVAILABLE CISA: TRACK*
Published May 16, 2025
CISO Take

Ollama 0.5.11 crashes when processing a crafted model manifest through the /api/pull endpoint due to missing array index validation. Any user with network access to your Ollama instance can take down your LLM inference service. Update immediately and restrict /api/pull to trusted networks or authenticated users.

What is the risk?

Risk is HIGH for organizations running Ollama in shared or network-accessible environments. Ollama ships with no authentication by default, meaning any network-reachable instance is trivially exploitable. The crash is deterministic — a single malformed request suffices. In DevOps and MLOps pipelines where Ollama runs as a shared inference backend, this translates directly to service disruption across dependent AI workloads. No evidence of active exploitation yet, but the exploit surface is large given Ollama's adoption in enterprise AI labs.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Ollama pip No patch
174.6K 1.6K dependents Pushed 3d ago 12% patched ~0d to patch Full package profile →

Do you use Ollama? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.4%
chance of exploitation in 30 days
Higher than 34% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What should I do?

5 steps

  1. PATCH

    Upgrade Ollama beyond 0.5.11 immediately. Check https://github.com/ollama/ollama/releases for the fixed version.

  2. NETWORK ISOLATION

    Restrict Ollama port (default 11434) to localhost or trusted subnets only using firewall rules. Never expose Ollama directly to the internet.

  3. AUTHENTICATION PROXY

    Place a reverse proxy (nginx, Caddy) with authentication in front of Ollama if multi-user access is required.

  4. DETECTION

    Alert on repeated 5xx errors or unexpected Ollama process restarts. Monitor for anomalous POST /api/pull requests from unexpected sources.

  5. WORKAROUND (if patching is not immediate): Disable or firewall the /api/pull endpoint if model pulling is not required at runtime.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Inference API AML.T0029 AML.T0034 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
8.4 - AI system operation
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain effectiveness of risk responses
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-1975?

Ollama 0.5.11 crashes when processing a crafted model manifest through the /api/pull endpoint due to missing array index validation. Any user with network access to your Ollama instance can take down your LLM inference service. Update immediately and restrict /api/pull to trusted networks or authenticated users.

Is CVE-2025-1975 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1975, increasing the risk of exploitation.

How to fix CVE-2025-1975?

1. PATCH: Upgrade Ollama beyond 0.5.11 immediately. Check https://github.com/ollama/ollama/releases for the fixed version. 2. NETWORK ISOLATION: Restrict Ollama port (default 11434) to localhost or trusted subnets only using firewall rules. Never expose Ollama directly to the internet. 3. AUTHENTICATION PROXY: Place a reverse proxy (nginx, Caddy) with authentication in front of Ollama if multi-user access is required. 4. DETECTION: Alert on repeated 5xx errors or unexpected Ollama process restarts. Monitor for anomalous POST /api/pull requests from unexpected sources. 5. WORKAROUND (if patching is not immediate): Disable or firewall the /api/pull endpoint if model pulling is not required at runtime.

What systems are affected by CVE-2025-1975?

This vulnerability affects the following AI/ML architecture patterns: model serving, LLM inference, RAG pipelines, agent frameworks, local AI deployments.

What is the CVSS score for CVE-2025-1975?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingLLM inferenceRAG pipelinesagent frameworkslocal AI deployments

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. This is due to improper validation of array index access when downloading a model via the /api/pull endpoint, which can lead to a server crash.

Exploitation Scenario

An attacker with network access to an Ollama instance — an insider, compromised developer machine, or lateral movement from another host — sends a POST request to /api/pull with a crafted manifest payload that includes malformed array indices. The Ollama server attempts to access an out-of-bounds array index during manifest parsing, triggering a panic/crash. The attacker can repeat this after each restart to maintain a persistent DoS condition, effectively taking down any AI application stack dependent on that Ollama instance (chatbots, RAG pipelines, agentic workflows).

Weaknesses (CWE)

CWE-129 Improper Validation of Array Index

CWE-129 — Improper Validation of Array Index: The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

  • [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings.

Source: MITRE CWE corpus.

References

Timeline

Published
May 16, 2025
Last Modified
June 24, 2025
First Seen
May 16, 2025

Related Vulnerabilities

CRITICAL CVE-2026-46339 10.0

9router: unauthenticated RCE exposes LLM API keys

Same package: ollama
CRITICAL CVE-2026-42248 9.8

Ollama: silent auto-update bypasses signature check on Windows

Same package: ollama
CRITICAL CVE-2025-63389 9.8

ollama: Missing Auth allows unauthenticated access

Same package: ollama
CRITICAL CVE-2026-42249 9.8

Ollama: path traversal + unsigned update = silent RCE

Same package: ollama
CRITICAL CVE-2026-7482 9.1

Ollama: heap OOB read leaks API keys and chat data

Same package: ollama
Back to Threat Feed