CVE-2024-39721 Overview
CVE-2024-39721 is a denial-of-service vulnerability in Ollama versions before 0.1.34. The flaw resides in the CreateModelHandler function in server/routes.go, which uses os.Open to read a user-controlled file path until completion. An unauthenticated remote attacker can submit a request with req.Path set to a blocking device file such as /dev/random, causing the handling goroutine to run indefinitely. The goroutine continues consuming resources even after the client aborts the HTTP request. Repeated requests exhaust available goroutines and memory, degrading or halting the Ollama service. The issue is tracked under [CWE-404: Improper Resource Shutdown or Release].
Critical Impact
Unauthenticated attackers can remotely exhaust server resources on Ollama instances, taking the AI model serving endpoint offline without requiring credentials or user interaction.
Affected Products
- Ollama versions prior to 0.1.34
- Self-hosted Ollama deployments exposing the HTTP API
- Containerized Ollama instances using vulnerable base images
Discovery Timeline
- 2024-10-31 - CVE-2024-39721 published to NVD
- 2025-05-13 - Last updated in NVD database
Technical Details for CVE-2024-39721
Vulnerability Analysis
Ollama is an open-source runtime for serving large language models over an HTTP API. The CreateModelHandler accepts a JSON request that includes a Path field pointing to a model file on disk. The handler calls os.Open against this attacker-supplied path and reads the file until end-of-file is reached. Reads from character devices like /dev/random block when insufficient entropy is available, producing data slowly or indefinitely. Because Go uses a goroutine per request, the blocked read does not release the worker.
Go's HTTP server does not cancel goroutines when a client disconnects unless the handler explicitly checks the request context. The vulnerable code path lacks such cancellation, so aborted requests still hold open file descriptors and stack memory. An attacker scripting repeated POST requests to the create-model endpoint can rapidly accumulate stuck goroutines and trigger denial of service.
Root Cause
The root cause is improper validation and lifecycle management of a user-controlled file path. The handler trusts req.Path without restricting it to regular files, model directories, or whitelisted locations. The code also fails to bound read durations or honor request cancellation signals from the HTTP context.
Attack Vector
Exploitation requires network access to the Ollama API endpoint. The attacker sends a crafted JSON payload to the model creation route with Path pointing at /dev/random, /dev/zero, a FIFO, or another blocking source. No authentication or user interaction is required when the API is exposed. Repeated requests amplify the impact until the host runs out of usable goroutines or memory. Technical references include the vulnerable code in routes.go and the Oligo Security analysis.
Detection Methods for CVE-2024-39721
Indicators of Compromise
- HTTP POST requests to /api/create containing a path field referencing /dev/random, /dev/urandom, /dev/zero, or named pipes
- Sustained growth in Ollama process goroutine count, file descriptors, or resident memory
- API response timeouts and unresponsive model creation endpoints
- Multiple concurrent long-lived connections from a single source to the Ollama HTTP port (default 11434)
Detection Strategies
- Inspect web proxy and application logs for path parameters referencing device files or non-standard locations outside the configured models directory
- Correlate aborted client connections with persistent server-side resource consumption tied to the Ollama process
- Alert on Ollama processes whose goroutine or file descriptor counts exceed baseline thresholds
Monitoring Recommendations
- Capture HTTP request bodies for the Ollama API and parse them for suspicious path values
- Track per-source request rates against /api/create and rate-limit anomalous spikes
- Forward Ollama process metrics, network telemetry, and host logs to a centralized analytics platform for cross-source correlation
How to Mitigate CVE-2024-39721
Immediate Actions Required
- Upgrade Ollama to version 0.1.34 or later on every host running the service
- Remove direct internet exposure of the Ollama API and place it behind an authenticated reverse proxy
- Audit existing deployments and container images to confirm the patched version is in use
- Restrict the operating system account running Ollama so it cannot read sensitive device files
Patch Information
The maintainers addressed CVE-2024-39721 in Ollama 0.1.34. The fix tightens handling in CreateModelHandler so that user-controlled paths no longer cause indefinite blocking reads. Review the updated routes.go for the corrected behavior and pull the latest container image or binary release from the official Ollama repository.
Workarounds
- Place Ollama behind a reverse proxy that enforces authentication and rejects requests whose path field references device files or paths outside an allow-listed model directory
- Apply network-level access controls so only trusted internal hosts can reach the Ollama API port
- Run Ollama inside a container or sandbox that does not expose /dev/random, /dev/urandom, or other blocking devices to the process
- Configure request timeouts and connection limits at the proxy layer to bound resource consumption per client
# Example reverse proxy hardening (nginx)
location /api/create {
limit_req zone=ollama_create burst=5 nodelay;
client_body_timeout 10s;
proxy_read_timeout 30s;
proxy_pass http://127.0.0.1:11434;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
