x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-wrh5-cmwx-q2qr #3695

GoVulnBot · 2025-05-17T16:02:24Z

Advisory GHSA-wrh5-cmwx-q2qr references a vulnerability in the following Go modules:

Module
github.com/ollama/ollama

Description:
A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. This is due to improper validation of array index access when downloading a model via the /api/pull endpoint, which can lead to a server crash.

References:

ADVISORY: GHSA-wrh5-cmwx-q2qr
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-1975
WEB: https://huntr.com/bounties/921ba5d4-f1d0-4c66-9764-4f72dffe7acd

Cross references:

github.com/ollama/ollama appears in 9 other report(s):
- data/reports/GO-2024-2901.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: CVE-2024-37032 #2901)
- data/reports/GO-2024-3104.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: CVE-2024-45436 #3104)
- data/reports/GO-2024-3245.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: CVE-2024-39720 #3245)
- data/reports/GO-2025-3548.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-v464-r2r9-www7 #3548)
- data/reports/GO-2025-3557.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-fccc-8m69-8r78 #3557)
- data/reports/GO-2025-3558.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-89qx-m49c-8crf #3558)
- data/reports/GO-2025-3559.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-9gcr-28rp-cc24 #3559)
- data/reports/GO-2025-3582.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-p2wh-w96x-w232 #3582)
- data/reports/GO-2025-3689.yaml (x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-2xf2-gjm6-g2c6 #3689)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/ollama/ollama
      vulnerable_at: 0.7.0
summary: Ollama Server Vulnerable to Denial of Service (DoS) Attack in github.com/ollama/ollama
cves:
    - CVE-2025-1975
ghsas:
    - GHSA-wrh5-cmwx-q2qr
references:
    - advisory: https://github.com/advisories/GHSA-wrh5-cmwx-q2qr
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-1975
    - web: https://huntr.com/bounties/921ba5d4-f1d0-4c66-9764-4f72dffe7acd
source:
    id: GHSA-wrh5-cmwx-q2qr
    created: 2025-05-17T16:02:24.673701905Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-05-20T16:58:15Z

Change https://go.dev/cl/674495 mentions this issue: data/reports: add GO-2025-3695

- data/reports/GO-2025-3695.yaml Updates #3695 Change-Id: Iad4306acd112da47fa4a6bd68f6a00c70f7ae914 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/674495 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Neal Patel <nealpatel@google.com>

GoVulnBot added the NeedsTriage label May 17, 2025

thatnealpatel added high priority triaged and removed NeedsTriage labels May 20, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-wrh5-cmwx-q2qr #3695

x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-wrh5-cmwx-q2qr #3695

Uh oh!

x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-wrh5-cmwx-q2qr #3695

x/vulndb: potential Go vuln in github.com/ollama/ollama: GHSA-wrh5-cmwx-q2qr #3695

Comments

Uh oh!