[GH-ISSUE #16033] HIGH CVE Vulnerabilities reported in OLLAMA GOBinary #87894

Open
opened 2026-05-10 06:33:26 -05:00 by GiteaMirror · 2 comments
Owner

Originally created by @hteeyeoh on GitHub (May 7, 2026).
Original GitHub issue: https://github.com/ollama/ollama/issues/16033

What is the issue?

Path: /usr/local/bin/ollama (Go binary)

Vulnerability Summary

Total: 36
CRITICAL: 1
HIGH: 11
MEDIUM: 23
LOW: 1
UNKNOWN: 0

================================================================================
Library: github.com/buger/jsonparser

================================================================================
Library: golang.org/x/crypto

================================================================================
Library: golang.org/x/image

================================================================================
Library: Go Standard Library (stdlib)

================================================================================

Relevant log output


OS

Linux

GPU

No response

CPU

No response

Ollama version

0.23.0

Originally created by @hteeyeoh on GitHub (May 7, 2026). Original GitHub issue: https://github.com/ollama/ollama/issues/16033 ### What is the issue? Path: /usr/local/bin/ollama (Go binary) Vulnerability Summary --------------------- Total: 36 CRITICAL: 1 HIGH: 11 MEDIUM: 23 LOW: 1 UNKNOWN: 0 ================================================================================ Library: github.com/buger/jsonparser -------------------------------------------------------------------------------- - CVE: CVE-2026-32285 - Severity: HIGH - Status: FIXED - Installed Version: v1.1.1 - Fixed Version: 1.1.2 - Issue: Denial of Service via malformed JSON input - Ref: https://avd.aquasec.com/nvd/cve-2026-32285 ================================================================================ Library: golang.org/x/crypto -------------------------------------------------------------------------------- - CVE: CVE-2025-47914 - Severity: MEDIUM - Installed Version: v0.43.0 - Fixed Version: 0.45.0 - Issue: SSH agent DoS via malformed messages - Ref: https://avd.aquasec.com/nvd/cve-2025-47914 - CVE: CVE-2025-58181 - Severity: MEDIUM - Issue: SSH GSSAPI authentication DoS due to unbounded memory usage - Ref: https://avd.aquasec.com/nvd/cve-2025-58181 ================================================================================ Library: golang.org/x/image -------------------------------------------------------------------------------- - CVE: CVE-2026-33809 - Severity: MEDIUM - Installed Version: v0.22.0 - Fixed Version: 0.38.0 - Issue: DoS via malicious TIFF file - Ref: https://avd.aquasec.com/nvd/cve-2026-33809 ================================================================================ Library: Go Standard Library (stdlib) -------------------------------------------------------------------------------- - CVE: CVE-2025-68121 - Severity: CRITICAL - Installed Version: v1.24.1 - Fixed Versions: 1.24.13, 1.25.7, 1.26.0-rc.3 - Issue: Incorrect certificate validation during TLS resumption - Ref: https://avd.aquasec.com/nvd/cve-2025-68121 - CVE: CVE-2025-22874 - Severity: HIGH - Fixed Version: 1.24.4 - Issue: ExtKeyUsageAny disables policy validation in crypto/x509 - Ref: https://avd.aquasec.com/nvd/cve-2025-22874 - CVE: CVE-2026-25679 - Severity: MEDIUM - Fixed Versions: 1.25.8, 1.26.1 - Issue: Incorrect IPv6 literal parsing in net/url - Ref: https://avd.aquasec.com/nvd/cve-2026-25679 - CVE: CVE-2026-32280 - Severity: MEDIUM - Fixed Versions: 1.25.9, 1.26.2 - Issue: DoS in certificate chain building - Ref: https://avd.aquasec.com/nvd/cve-2026-32280 - CVE: CVE-2026-32289 - Severity: MEDIUM - Issue: XSS risk in html/template due to improper context handling - Ref: https://avd.aquasec.com/nvd/cve-2026-32289 - CVE: CVE-2026-27139 - Severity: LOW - Fixed Versions: 1.25.8, 1.26.1 - Issue: os.FileInfo can escape Root confinement - Ref: https://avd.aquasec.com/nvd/cve-2026-27139 ================================================================================ ### Relevant log output ```shell ``` ### OS Linux ### GPU _No response_ ### CPU _No response_ ### Ollama version 0.23.0
GiteaMirror added the bug label 2026-05-10 06:33:26 -05:00
Author
Owner

@rick-github commented on GitHub (May 7, 2026):

Try testing the latest release.

<!-- gh-comment-id:4396197151 --> @rick-github commented on GitHub (May 7, 2026): Try testing the latest release.
Author
Owner

@hteeyeoh commented on GitHub (May 7, 2026):

Try testing the latest release.

tried with latest 0.23.1 version still observed the vulnerabilities:

Image
<!-- gh-comment-id:4396250121 --> @hteeyeoh commented on GitHub (May 7, 2026): > Try testing the latest release. tried with latest 0.23.1 version still observed the vulnerabilities: <img width="1072" height="854" alt="Image" src="https://github.com/user-attachments/assets/9583883a-ad00-48ec-9737-9fe16050da5e" />
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/ollama#87894