I responsibly disclosed 5 vulnerabilities in Ollama and LiteLLM through Huntr - now publicly disclosed after 90 days
Five vulnerabilities were responsibly disclosed in Ollama and LiteLLM after a 90-day coordinated disclosure period. In Ollama, vulnerabilities include a GGUF string length panic causing a denial of service and an unbounded vocab_size resource exhaustion leading to excessive CPU and memory use. In LiteLLM, issues include a Pass-the-Hash authentication bypass, an SSRF vulnerability via custom guardrails, and a Unicode normalization flaw that could enable sandbox escape. These vulnerabilities stem from overlooked areas in AI infrastructure such as model parsing, resource controls, authentication, network boundaries, and Unicode handling. The disclosures include technical details, root cause analyses, and proof-of-concept exploits for educational and defensive use.
AI Analysis
Technical Summary
Security research identified five vulnerabilities in Ollama and LiteLLM, disclosed after 90 days via Huntr. Ollama's vulnerabilities include a GGUF parser panic triggered by an attacker-controlled 64-bit string length field without proper bounds checking, causing a runtime panic and service crash (denial of service). Another Ollama issue involves an unbounded vocab_size parameter used during model conversion, allowing attackers to cause excessive memory and CPU consumption, leading to resource exhaustion and host instability. LiteLLM vulnerabilities include a Pass-the-Hash authentication bypass, an SSRF vulnerability through custom guardrails, and a Unicode normalization issue that could lead to sandbox escape scenarios. The research highlights security risks in AI model handling, resource allocation, authentication logic, network trust boundaries, and Unicode edge cases. Technical repositories provide detailed analyses, proof-of-concept code, and remediation suggestions.
Potential Impact
The vulnerabilities in Ollama can cause remote denial of service through service crashes and resource exhaustion, potentially leading to complete loss of availability and host instability. LiteLLM's vulnerabilities include authentication bypass, which could allow unauthorized access, SSRF attacks that may enable internal network access, and sandbox escape risks that could compromise containment mechanisms. These impacts affect the confidentiality, integrity, and availability of the affected AI infrastructure components.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The disclosures include remediation recommendations; users and administrators should review the published technical details and apply any available fixes or mitigations. Since these vulnerabilities were responsibly disclosed and published after a 90-day period, it is recommended to monitor the official repositories and vendor advisories for patches or updates addressing these issues. Until patches are applied, consider restricting access to vulnerable components and carefully validating inputs related to model parsing, resource parameters, authentication, and network requests.
I responsibly disclosed 5 vulnerabilities in Ollama and LiteLLM through Huntr - now publicly disclosed after 90 days
Description
Five vulnerabilities were responsibly disclosed in Ollama and LiteLLM after a 90-day coordinated disclosure period. In Ollama, vulnerabilities include a GGUF string length panic causing a denial of service and an unbounded vocab_size resource exhaustion leading to excessive CPU and memory use. In LiteLLM, issues include a Pass-the-Hash authentication bypass, an SSRF vulnerability via custom guardrails, and a Unicode normalization flaw that could enable sandbox escape. These vulnerabilities stem from overlooked areas in AI infrastructure such as model parsing, resource controls, authentication, network boundaries, and Unicode handling. The disclosures include technical details, root cause analyses, and proof-of-concept exploits for educational and defensive use.
Reddit Discussion
Over the past few months, I conducted security research on Ollama and LiteLLM and reported several vulnerabilities through Huntr's coordinated vulnerability disclosure program.
Following the standard 90 day disclosure period, the findings have now been publicly disclosed.
The research resulted in five reported vulnerabilities. In Ollama, I identified a GGUF String Length Panic vulnerability that could lead to denial of service, as well as an unbounded vocab_size resource exhaustion issue that could cause excessive memory and CPU consumption. In LiteLLM, I reported a Pass-the-Hash authentication bypass, an SSRF vulnerability through custom guardrails, and a Unicode normalization issue that could lead to sandbox escape scenarios. What stood out during this research was how many impactful security issues originated from areas that are often overlooked in AI infrastructure, including model parsing and conversion pipelines, resource allocation controls, authentication logic, network trust boundaries, and Unicode normalization edge cases.
The repositories contain technical details, root cause analyses, proof of concepts, impact assessments, remediation recommendations, and links to the published Huntr disclosures.
Ollama research:
https://github.com/regaan/ollama-security-research
LiteLLM research:
https://github.com/regaan/litellm-vulnerability-research
All research was conducted and disclosed responsibly. The published material is intended strictly for educational, defensive, and research purposes. I am happy to answer questions about the disclosure process, research methodology, root cause analysis, or AI and LLM security in general.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Security research identified five vulnerabilities in Ollama and LiteLLM, disclosed after 90 days via Huntr. Ollama's vulnerabilities include a GGUF parser panic triggered by an attacker-controlled 64-bit string length field without proper bounds checking, causing a runtime panic and service crash (denial of service). Another Ollama issue involves an unbounded vocab_size parameter used during model conversion, allowing attackers to cause excessive memory and CPU consumption, leading to resource exhaustion and host instability. LiteLLM vulnerabilities include a Pass-the-Hash authentication bypass, an SSRF vulnerability through custom guardrails, and a Unicode normalization issue that could lead to sandbox escape scenarios. The research highlights security risks in AI model handling, resource allocation, authentication logic, network trust boundaries, and Unicode edge cases. Technical repositories provide detailed analyses, proof-of-concept code, and remediation suggestions.
Potential Impact
The vulnerabilities in Ollama can cause remote denial of service through service crashes and resource exhaustion, potentially leading to complete loss of availability and host instability. LiteLLM's vulnerabilities include authentication bypass, which could allow unauthorized access, SSRF attacks that may enable internal network access, and sandbox escape risks that could compromise containment mechanisms. These impacts affect the confidentiality, integrity, and availability of the affected AI infrastructure components.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The disclosures include remediation recommendations; users and administrators should review the published technical details and apply any available fixes or mitigations. Since these vulnerabilities were responsibly disclosed and published after a 90-day period, it is recommended to monitor the official repositories and vendor advisories for patches or updates addressing these issues. Until patches are applied, consider restricting access to vulnerable components and carefully validating inputs related to model parsing, resource parameters, authentication, and network requests.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a486e1d27e9c79719d46fc8
Added to database: 07/04/2026, 02:21:17 UTC
Last enriched: 07/04/2026, 02:21:26 UTC
Last updated: 07/04/2026, 03:21:11 UTC
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.