CVE-2025-1975 — Ollama Server Vulnerable to Denial of Service (DoS) Attack in github.com/ollama/

Description

A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. This is due to improper validation of array index access when downloading a model via the /api/pull endpoint, which can lead to a server crash.

How to fix CVE-2025-1975

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed
—no fix listed

Is CVE-2025-1975 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, <= 0.5.11
from 0
from 0, <= 0.5.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYgithub.com/advisories/GHSA-wrh5-cmwx-q2qr
ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-1975
EXPLOIThuntr.com/bounties/921ba5d4-f1d0-4c66-9764-4f72dffe7acd
PATCHgithub.com/ollama/ollama
WEB