CVE-2024-39719 Overview
CVE-2024-39719 is an information disclosure vulnerability in Ollama through version 0.3.14. The flaw exists in the api/create endpoint, which accepts a path parameter when calling the CreateModel route. When the supplied path does not exist on the server, the API reflects a File does not exist error message back to the caller. Attackers use this behavior as an oracle to enumerate arbitrary file paths on the host. The issue maps to [CWE-209] Information Exposure Through an Error Message and is exploitable over the network without authentication.
Critical Impact
Unauthenticated remote attackers can probe the Ollama server's file system to confirm the presence of sensitive files, supporting reconnaissance for follow-on attacks.
Affected Products
- Ollama versions up to and including 0.3.14
- Self-hosted Ollama deployments exposing api/create
- Container and cloud workloads running vulnerable Ollama builds
Discovery Timeline
- 2024-10-31 - CVE-2024-39719 published to NVD
- 2025-05-13 - Last updated in NVD database
Technical Details for CVE-2024-39719
Vulnerability Analysis
Ollama exposes an HTTP API for managing local large language models. The api/create route invokes the CreateModel handler, which accepts a path parameter pointing to a model file on the server. When the handler cannot locate the supplied path, it returns a verbose error string containing File does not exist directly to the HTTP client. Attackers turn this differential response into a file existence primitive. By iterating candidate absolute paths and observing which requests return the File does not exist error versus a different error, an unauthenticated attacker maps the server file system. This reconnaissance accelerates targeting of credentials, configuration files, SSH keys, and other artifacts on the host. The EPSS percentile of 97.641 reflects active interest in Ollama API weaknesses.
Root Cause
The handler fails to sanitize or generalize error output before returning it to remote callers. Detailed file system feedback is treated the same for authenticated and unauthenticated requests, violating the principle of least information disclosure described in [CWE-209].
Attack Vector
Exploitation requires only HTTP access to the Ollama service. The attacker issues POST requests to api/create with a JSON body containing a path field set to candidate file locations. Responses containing the File does not exist string confirm absence, while responses lacking that string indicate the file is present and reachable by the Ollama process. No user interaction or privileges are required.
The vulnerability is documented in the Oligo Security research on Ollama.
Detection Methods for CVE-2024-39719
Indicators of Compromise
- High volumes of POST requests to api/create from a single source IP within a short window
- Request bodies containing a path field referencing system paths such as /etc/, /root/, /home/, or C:\\Users\\
- Responses from Ollama returning the File does not exist error string at elevated rates
- Sequential probing patterns suggesting wordlist-driven file enumeration
Detection Strategies
- Inspect Ollama access logs for repeated api/create calls with varying path parameters
- Alert on outbound File does not exist error responses exceeding a baseline threshold
- Correlate API probes with subsequent access attempts against discovered paths
Monitoring Recommendations
- Forward Ollama HTTP logs and reverse-proxy logs to a centralized analytics pipeline
- Track per-source request rates against api/create and apply anomaly detection
- Monitor for Ollama processes binding to non-loopback interfaces on production hosts
How to Mitigate CVE-2024-39719
Immediate Actions Required
- Upgrade Ollama to a release later than 0.3.14 that addresses the api/create error disclosure
- Restrict the Ollama API to loopback or trusted internal networks until patched
- Place Ollama behind an authenticating reverse proxy that enforces allow-lists
- Audit historical logs for prior enumeration attempts against api/create
Patch Information
Upgrade to an Ollama version released after 0.3.14. Review the Oligo Security advisory for vendor remediation details and validate the fixed version against the official Ollama release notes before deployment.
Workarounds
- Bind Ollama to 127.0.0.1 and disable external listeners via the OLLAMA_HOST environment variable
- Block external access to api/create at the reverse proxy or web application firewall
- Run Ollama under a dedicated low-privilege account with a restricted file system view
- Apply network segmentation so only trusted clients reach the Ollama service
# Configuration example
# Restrict Ollama to localhost only
export OLLAMA_HOST=127.0.0.1:11434
systemctl restart ollama
# Example nginx rule to block the vulnerable route externally
location /api/create {
allow 10.0.0.0/8;
deny all;
proxy_pass http://127.0.0.1:11434;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

