cbcvebase.
CVE-2024-37032
published 2024-05-31

CVE-2024-37032: Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the…

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
89.63%
99.8th percentile
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comollama_ollama>= 0 < 0.1.340.1.34
ollamaollama< 0.1.340.1.34

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[victim]:11434/api/pull
port11434
path/api/pull
path/api/chat
path/api/version
path/root/.ollama/models/blobs/sha256-04778965089b91318ad61d0995b7e44fad4b9a9f4e049d7be90932bf8812e828
path/root/.ollama/models/manifests/%ATTACKER_IP%/library/manifest/latest
path/etc/ld.so.preload
path/root/bad.so
pathlinux/http/ollama_rce_cve_2024_37032
otherdigest: ../../../../../../../../../../../../../../../../../../../traversal
otherdigest: ../../../../../../../../../../../../../../../../../../../../../traversal
  • Monitor for HTTP POST requests to /api/pull containing a manifest with a `digest` field that includes path traversal sequences (e.g., `../`) instead of a valid sha256 hash (64 hex digits prefixed with 'sha256:').
  • Detect unexpected .so files written under /root/ (e.g., /root/bad.so) on Ollama server hosts, which may indicate the arbitrary file write primitive being used to stage a malicious shared library.
  • In Docker deployments, monitor for inbound connections to port 11434 from external/untrusted IPs, as the Ollama API server binds to 0.0.0.0 and is remotely exploitable in this configuration.
  • Detect the exploit chain: a sequence of /api/pull (with traversal digest) → /api/push (file read) → /api/chat (trigger process spawn loading malicious library) against the same Ollama instance.
  • The Metasploit module linux/http/ollama_rce_cve_2024_37032 implements the full exploit chain; use its network signatures (rogue OCI registry interaction + traversal digest in manifest) for IDS/IPS rules.
  • ·The vulnerability is only remotely exploitable by default in Docker deployments (ollama/ollama image), where the API server binds to 0.0.0.0. In the default Linux installation, the server binds to localhost, significantly reducing remote exploitation risk.
  • ·Ollama has no built-in authentication; any attacker who can reach port 11434 can exploit this without credentials. Reverse-proxy authentication is required if the service is internet-exposed.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.