Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-39722

CVE-2024-39722: Ollama Path Traversal Vulnerability

CVE-2024-39722 is a path traversal flaw in Ollama that exposes server file existence through the api/push route. This post covers the technical details, affected versions, security impact, and mitigation steps.

Published:

CVE-2024-39722 Overview

CVE-2024-39722 is a path traversal vulnerability in Ollama versions prior to 0.1.46. The flaw resides in the api/push route and allows unauthenticated remote attackers to determine which files exist on the server hosting Ollama. By manipulating path components in the request, an attacker can probe the underlying file system without valid credentials. The issue is classified under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory).

Critical Impact

Remote unauthenticated attackers can enumerate the existence of arbitrary files on the host running Ollama, exposing information that supports further reconnaissance and targeted attacks.

Affected Products

  • Ollama versions earlier than 0.1.46
  • Deployments exposing the Ollama HTTP API to untrusted networks
  • Self-hosted LLM environments running vulnerable Ollama releases

Discovery Timeline

  • 2024-10-31 - CVE-2024-39722 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-39722

Vulnerability Analysis

The vulnerability resides in the handling of model name parameters inside the api/push endpoint. Ollama uses the supplied name to locate model manifest files on disk. The route fails to sanitize traversal sequences before constructing the file path. An attacker can submit crafted input containing ../ segments to reach paths outside the intended model storage directory.

The server's response differs depending on whether the referenced file exists. This behavioral difference creates an oracle that discloses file existence to a remote, unauthenticated requester. The flaw does not provide direct file read or write access, but it leaks structural information about the host file system. Attackers can map installed software, user accounts, and configuration files to plan follow-on intrusions. Oligo Security publicly documented the issue alongside related Ollama flaws in their research on AI infrastructure security.

Root Cause

The root cause is missing input validation on user-controlled path components passed to the push handler. Ollama trusts the model name field to remain within a constrained namespace. Without normalization or allow-list enforcement, traversal characters reach the underlying os.Stat style operation. The differing response codes for present versus absent files complete the information-disclosure primitive.

Attack Vector

Exploitation requires only network access to the Ollama API, which listens on port 11434 by default. An attacker sends an HTTP request to /api/push containing a manipulated model identifier with traversal sequences pointing to a target file path. The response indicates whether the path exists on the host. No authentication, user interaction, or local access is required. See the Oligo Security Blog Post for the disclosure details.

Detection Methods for CVE-2024-39722

Indicators of Compromise

  • HTTP requests to /api/push containing ../ or URL-encoded traversal sequences such as %2e%2e%2f in the model name field
  • Repeated probes to the Ollama API enumerating common system paths like /etc/passwd, /root/.ssh/, or Windows user directories
  • Unusual volume of api/push requests from a single source without corresponding legitimate model push activity

Detection Strategies

  • Inspect Ollama access logs for path traversal patterns in request bodies targeting the push endpoint
  • Deploy web application firewall rules that flag traversal sequences in JSON payloads sent to port 11434
  • Correlate API request patterns against known model naming conventions to identify anomalous identifiers

Monitoring Recommendations

  • Forward Ollama API logs to a centralized analytics platform for retention and pattern analysis
  • Alert on outbound connections from Ollama hosts that follow suspicious API probes, indicating possible chained exploitation
  • Track Ollama version inventory across the environment to confirm hosts running releases earlier than 0.1.46

How to Mitigate CVE-2024-39722

Immediate Actions Required

  • Upgrade Ollama to version 0.1.46 or later on all hosts running the service
  • Restrict network access to the Ollama API endpoint using firewall rules or reverse proxy authentication
  • Audit existing deployments for public exposure of port 11434 and remove unnecessary internet-facing instances

Patch Information

The vendor addressed the flaw in Ollama release 0.1.46. The fix introduces validation of model name input on the api/push route to reject traversal sequences. Administrators should pull the latest binary or container image and restart the service. Verify the running version with ollama --version after deployment.

Workarounds

  • Bind the Ollama service to localhost (127.0.0.1) when remote API access is not required
  • Place Ollama behind an authenticating reverse proxy that strips traversal characters from request paths and bodies
  • Apply network segmentation to isolate Ollama hosts from untrusted user networks until patching is complete
bash
# Bind Ollama to localhost only to limit exposure
export OLLAMA_HOST=127.0.0.1:11434
systemctl restart ollama

# Verify patched version
ollama --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.