CVE-2024-37032: Ollama Path Traversal Vulnerability

CVE-2024-37032 Overview

CVE-2024-37032 is a path traversal vulnerability affecting Ollama, the popular open-source framework for running large language models (LLMs) locally. The vulnerability exists in versions prior to 0.1.34 where Ollama fails to validate the format of the digest parameter when resolving model paths. Specifically, the application does not properly verify that digest values conform to the expected SHA256 format (64 hexadecimal digits), enabling attackers to craft malicious digest values containing path traversal sequences such as ../ to escape intended directories.

Critical Impact
This path traversal vulnerability can be exploited to achieve remote code execution (RCE) by manipulating file paths to overwrite critical system files or plant malicious executables on the target system.

Affected Products

Ollama versions prior to 0.1.34
All platforms running vulnerable Ollama instances (Linux, macOS, Windows)
Systems with Ollama API endpoints exposed to untrusted networks

Discovery Timeline

2024-05-31 - CVE-2024-37032 published to NVD
2025-05-01 - Last updated in NVD database

Technical Details for CVE-2024-37032

Vulnerability Analysis

The vulnerability resides in Ollama's model path resolution logic. When processing model requests, Ollama uses a digest parameter to locate model files on the filesystem. The digest is expected to be a valid SHA256 hash consisting of exactly 64 hexadecimal characters. However, vulnerable versions do not validate this format constraint, allowing attackers to supply malformed digest values.

The test cases in the source code explicitly document the vulnerable conditions: digests with fewer than 64 hex digits, more than 64 hex digits, or those containing directory traversal sequences like ../ at the beginning of the string are not properly rejected. This allows an attacker to manipulate the resolved file path and access or overwrite files outside the intended model directory.

Given Ollama's architecture as an AI model server typically running with elevated permissions to manage model files and GPU resources, successful exploitation can lead to arbitrary file write capabilities, which can be chained to achieve full remote code execution on the host system.

Root Cause

The root cause of CVE-2024-37032 is insufficient input validation in the GetBlobsPath function. The function accepts user-controlled digest values without verifying that they:

Consist only of hexadecimal characters (0-9, a-f)
Are exactly 64 characters in length (SHA256 hash length)
Do not contain path traversal sequences (../, ..\\)

This missing validation allows directory traversal attacks where malicious digest values can redirect file operations to arbitrary filesystem locations.

Attack Vector

The attack can be executed remotely over the network by an authenticated user with access to the Ollama API. The attacker crafts a malicious request containing a digest value with path traversal sequences. When Ollama processes this request, the unvalidated digest is concatenated with the base model path, allowing the attacker to:

Read sensitive files from the filesystem by traversing to system directories
Write malicious content to arbitrary locations by abusing model download/update functionality
Achieve remote code execution by overwriting configuration files, cron jobs, or executable files

The exploitation requires low privileges and no user interaction, making it particularly dangerous for Ollama deployments exposed to untrusted networks.

Detection Methods for CVE-2024-37032

Indicators of Compromise

Unusual model pull requests containing ../ sequences in digest parameters
Unexpected file modifications outside of Ollama's model storage directories
Ollama API access logs showing malformed SHA256 digest values (non-hex characters, incorrect length)
New or modified files in system directories that coincide with Ollama API activity

Detection Strategies

Monitor Ollama API logs for requests containing path traversal patterns (../, ..\\) in digest or model path parameters
Implement Web Application Firewall (WAF) rules to detect and block path traversal sequences in requests to Ollama endpoints
Use file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
Deploy network-based intrusion detection signatures for Ollama API path traversal attempts

Monitoring Recommendations

Enable verbose logging on Ollama instances and centralize log collection for security analysis
Set up alerts for API requests with digest values that deviate from expected SHA256 format (64 hex characters)
Monitor process execution on Ollama hosts for suspicious child processes spawned after API requests
Review Ollama access patterns for unusual request volumes or sources attempting model operations

How to Mitigate CVE-2024-37032

Immediate Actions Required

Upgrade Ollama to version 0.1.34 or later immediately on all affected systems
Restrict network access to Ollama API endpoints using firewall rules to limit exposure to trusted networks only
Review system logs for evidence of exploitation attempts before patching
Conduct file integrity verification on systems that may have been exposed

Patch Information

The vulnerability was addressed in Ollama version 0.1.34. The fix implements proper validation of digest values to ensure they conform to the expected SHA256 format before being used in path operations. The patch specifically adds checks for hexadecimal character validation and length verification, rejecting any digest containing path traversal sequences.

For detailed information about the security fix, refer to the GitHub Pull Request and the version comparison between v0.1.33 and v0.1.34.

Workarounds

If immediate patching is not possible, place Ollama behind a reverse proxy that filters requests containing path traversal sequences
Restrict Ollama API access to localhost only and use SSH tunneling for remote access
Implement application-layer filtering to validate digest parameters before they reach Ollama
Consider running Ollama in a containerized environment with read-only filesystem mounts to limit the impact of potential exploitation

bash

# Example: Restrict Ollama to localhost binding only
# Edit Ollama configuration or startup parameters
OLLAMA_HOST=127.0.0.1:11434 ollama serve

# Example: iptables rule to restrict access to Ollama API
iptables -A INPUT -p tcp --dport 11434 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 11434 -j DROP

CVE-2024-37032 Overview

Critical Impact
This path traversal vulnerability can be exploited to achieve remote code execution (RCE) by manipulating file paths to overwrite critical system files or plant malicious executables on the target system.

Affected Products

Ollama versions prior to 0.1.34
All platforms running vulnerable Ollama instances (Linux, macOS, Windows)
Systems with Ollama API endpoints exposed to untrusted networks

Discovery Timeline

2024-05-31 - CVE-2024-37032 published to NVD
2025-05-01 - Last updated in NVD database

Technical Details for CVE-2024-37032

Vulnerability Analysis

Root Cause

The root cause of CVE-2024-37032 is insufficient input validation in the GetBlobsPath function. The function accepts user-controlled digest values without verifying that they:

Consist only of hexadecimal characters (0-9, a-f)
Are exactly 64 characters in length (SHA256 hash length)
Do not contain path traversal sequences (../, ..\\)

This missing validation allows directory traversal attacks where malicious digest values can redirect file operations to arbitrary filesystem locations.

Attack Vector

Read sensitive files from the filesystem by traversing to system directories
Write malicious content to arbitrary locations by abusing model download/update functionality
Achieve remote code execution by overwriting configuration files, cron jobs, or executable files

The exploitation requires low privileges and no user interaction, making it particularly dangerous for Ollama deployments exposed to untrusted networks.

Detection Methods for CVE-2024-37032

Indicators of Compromise

Unusual model pull requests containing ../ sequences in digest parameters
Unexpected file modifications outside of Ollama's model storage directories
Ollama API access logs showing malformed SHA256 digest values (non-hex characters, incorrect length)
New or modified files in system directories that coincide with Ollama API activity

Detection Strategies

Monitor Ollama API logs for requests containing path traversal patterns (../, ..\\) in digest or model path parameters
Implement Web Application Firewall (WAF) rules to detect and block path traversal sequences in requests to Ollama endpoints
Use file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
Deploy network-based intrusion detection signatures for Ollama API path traversal attempts

Monitoring Recommendations

Enable verbose logging on Ollama instances and centralize log collection for security analysis
Set up alerts for API requests with digest values that deviate from expected SHA256 format (64 hex characters)
Monitor process execution on Ollama hosts for suspicious child processes spawned after API requests
Review Ollama access patterns for unusual request volumes or sources attempting model operations

How to Mitigate CVE-2024-37032

Immediate Actions Required

Upgrade Ollama to version 0.1.34 or later immediately on all affected systems
Restrict network access to Ollama API endpoints using firewall rules to limit exposure to trusted networks only
Review system logs for evidence of exploitation attempts before patching
Conduct file integrity verification on systems that may have been exposed

Patch Information

For detailed information about the security fix, refer to the GitHub Pull Request and the version comparison between v0.1.33 and v0.1.34.

Workarounds

If immediate patching is not possible, place Ollama behind a reverse proxy that filters requests containing path traversal sequences
Restrict Ollama API access to localhost only and use SSH tunneling for remote access
Implement application-layer filtering to validate digest parameters before they reach Ollama
Consider running Ollama in a containerized environment with read-only filesystem mounts to limit the impact of potential exploitation

bash

# Example: Restrict Ollama to localhost binding only
# Edit Ollama configuration or startup parameters
OLLAMA_HOST=127.0.0.1:11434 ollama serve

# Example: iptables rule to restrict access to Ollama API
iptables -A INPUT -p tcp --dport 11434 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 11434 -j DROP

CVE-2024-37032: Ollama Path Traversal Vulnerability

CVE-2024-37032 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-37032

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-37032

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-37032

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-37032: Ollama Path Traversal Vulnerability

CVE-2024-37032 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-37032

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-37032

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-37032

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform