CVE-2025-66959

HIGH

Published January 21, 2026

CISO Take

CVE-2025-66959 is a network-exploitable DoS in Ollama's GGUF decoder requiring zero authentication — any Ollama instance exposed to untrusted networks is at immediate risk of being crashed. Patch to a version past 0.12.10 immediately and restrict Ollama's API port (default 11434) to localhost or trusted network segments only. If you cannot patch today, a firewall rule blocking external access to port 11434 is an effective temporary control.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ollama	pip	—	No patch

Do you use ollama? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade Ollama beyond version 0.12.10. Monitor https://github.com/ollama/ollama/releases for a fixed release. 2. NETWORK ISOLATION (immediate workaround): Ensure Ollama binds to 127.0.0.1 only (default is localhost, verify with `ss -tlnp | grep 11434`). Block port 11434 at the host firewall and any network perimeter for all non-whitelisted sources. 3. REVERSE PROXY WITH AUTH: If Ollama must be network-accessible, front it with nginx/Caddy requiring authentication — Ollama itself has no native auth. 4. DETECTION: Monitor for Ollama process crashes/restarts, unusual HTTP 5xx spikes on port 11434, and oversized or malformed POST payloads to /api endpoints. Alert on process exits from the Ollama service unit. 5. INVENTORY: Identify all Ollama instances in your environment — dev workstations with open Wi-Fi connections are a common overlooked exposure.

Classification

DoS Inference Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system availability and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain deployed AI system value and manage risks MANAGE 2.4 - Residual risks are managed and monitored

OWASP LLM Top 10

LLM04 - Model Denial of Service

Technical Details

NVD Description

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder

Exploitation Scenario

An adversary scans corporate IP ranges or cloud VPC subnets for open port 11434 (Ollama default). Upon finding a responsive instance, they craft a GGUF file with a maliciously oversized or invalid length field in the decoder metadata — as documented in the PoC blog referenced in the CVE. They POST this payload to Ollama's model load or generate endpoint. The GGUF decoder attempts to copy a buffer of the attacker-controlled length without bounds checking, triggering a panic that crashes the Ollama process. If Ollama lacks a process supervisor (systemd with Restart=always), the service stays down. In environments where AI copilots, RAG systems, or model-serving APIs depend on this Ollama instance, the downstream services become unavailable — causing a cascading outage without requiring any credentials or prior access.

Weaknesses (CWE)

CWE-20 CWE-400

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

github.com/ollama/ollama/issues/9820
Exploit Issue Vendor
zero.shotlearni.ng/blog/cve-2025-66959panic-dos-via-unchecked-length-in-gguf-decoder-copy/
Exploit 3rd Party

Timeline

Published

January 21, 2026

Last Modified

February 2, 2026

First Seen

January 21, 2026

Back to Threat Feed