Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2024-12055 | Ollama: DoS via malicious gguf model file upload | ollama | 7.5 |
| HIGH | CVE-2024-8063 | ollama: divide-by-zero DoS via crafted GGUF model import | ollama | 7.5 |
| HIGH | CVE-2025-0312 | Ollama: null pointer DoS via malicious GGUF model upload | ollama | 7.5 |
| HIGH | CVE-2025-0315 | Ollama: GGUF model upload causes memory exhaustion DoS | ollama | 7.5 |
| HIGH | CVE-2025-0317 | Ollama: DoS via malicious GGUF model file upload | ollama | 7.5 |
| UNKNOWN | CVE-2025-1975 | Ollama: DoS via malicious manifest in /api/pull | ollama | - |
| MEDIUM | CVE-2025-51471 | Ollama: auth token hijack via crafted WWW-Authenticate | ollama | 6.9 |
| MEDIUM | CVE-2025-44779 | Ollama: arbitrary file deletion via /api/pull | ollama | 6.6 |
| CRITICAL | CVE-2025-63389 | ollama: Missing Auth allows unauthenticated access | ollama | 9.8 |
| HIGH | CVE-2025-15514 | ollama: security flaw enables exploitation | ollama | 7.5 |
| HIGH | CVE-2025-66959 | ollama: Input Validation flaw enables exploitation | ollama | 7.5 |
| HIGH | CVE-2025-66960 | ollama: Input Validation flaw enables exploitation | ollama | 7.5 |
| UNKNOWN | CVE-2025-15063 | Ollama: Command Injection enables RCE | - | |
| MEDIUM | CVE-2023-41626 | Gradio: arbitrary file upload via /upload endpoint | gradio | 4.8 |
| HIGH | CVE-2023-46315 | Infinite Image Browsing: path traversal leaks credentials | 7.5 | |
| HIGH | CVE-2023-6572 | Gradio: command injection enables RCE on ML servers | gradio | 8.1 |
| CRITICAL | CVE-2024-0964 | Gradio: unauthenticated LFI exposes full server filesystem | gradio | 9.4 |
| MEDIUM | CVE-2024-2206 | Gradio: SSRF exposes internal HuggingFace endpoints | gradio | 6.5 |
| UNKNOWN | CVE-2024-1729 | Gradio: timing attack enables auth bypass on ML UIs | gradio | - |
| HIGH | CVE-2024-1728 | Gradio: path traversal leaks arbitrary files, potential RCE | gradio | 7.5 |