CVE-2024-37032
published 2024-05-31CVE-2024-37032: Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
89.63%
99.8th percentile
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | ollama_ollama | >= 0 < 0.1.34 | 0.1.34 |
| ollama | ollama | < 0.1.34 | 0.1.34 |
Detection & IOCsextracted from sources · hover to see the quote
path/root/.ollama/models/blobs/sha256-04778965089b91318ad61d0995b7e44fad4b9a9f4e049d7be90932bf8812e828↗
- →Monitor for HTTP POST requests to /api/pull containing a manifest with a `digest` field that includes path traversal sequences (e.g., `../`) instead of a valid sha256 hash (64 hex digits prefixed with 'sha256:'). ↗
- →Detect unexpected .so files written under /root/ (e.g., /root/bad.so) on Ollama server hosts, which may indicate the arbitrary file write primitive being used to stage a malicious shared library. ↗
- →In Docker deployments, monitor for inbound connections to port 11434 from external/untrusted IPs, as the Ollama API server binds to 0.0.0.0 and is remotely exploitable in this configuration. ↗
- →Detect the exploit chain: a sequence of /api/pull (with traversal digest) → /api/push (file read) → /api/chat (trigger process spawn loading malicious library) against the same Ollama instance. ↗
- →The Metasploit module linux/http/ollama_rce_cve_2024_37032 implements the full exploit chain; use its network signatures (rogue OCI registry interaction + traversal digest in manifest) for IDS/IPS rules. ↗
- ·The vulnerability is only remotely exploitable by default in Docker deployments (ollama/ollama image), where the API server binds to 0.0.0.0. In the default Linux installation, the server binds to localhost, significantly reducing remote exploitation risk. ↗
- ·Ollama has no built-in authentication; any attacker who can reach port 11434 can exploit this without credentials. Reverse-proxy authentication is required if the service is internet-exposed. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Ollama does not validate the format of the digest (sha256 with 64 hex digits) in github.com/ollama/ollama
osv·2024-06-14
CVE-2024-37032 Ollama does not validate the format of the digest (sha256 with 64 hex digits) in github.com/ollama/ollama
Ollama does not validate the format of the digest (sha256 with 64 hex digits) in github.com/ollama/ollama
Ollama does not validate the format of the digest (sha256 with 64 hex digits) in github.com/ollama/ollama
OSV
frr vulnerabilities
osv·2024-06-05·CVSS 7.8
CVE-2022-26126 frr vulnerabilities
frr vulnerabilities
It was discovered that FRR incorrectly handled certain network traffic.
A remote attacker could possibly use this issue to cause FRR to crash,
resulting in a denial of service. (CVE-2022-26126, CVE-2022-26127,
CVE-2022-26128, CVE-2022-26129, CVE-2022-37032, CVE-2022-37035,
CVE-2023-31490, CVE-2023-38406, CVE-2023-38407, CVE-2023-46752,
CVE-2023-46753, CVE-2023-47234, CVE-2023-47235, CVE-2024-31948)
Ben Cartwright-Cox discovered that FRR incorrectly handled certain
network traffic. A remote attacker could possibly use this issue to cause
FRR to crash, resulting in a denial of service. (CVE-2023-38802)
OSV
Ollama does not validate the format of the digest (sha256 with 64 hex digits)
osv·2024-05-31
CVE-2024-37032 [MEDIUM] Ollama does not validate the format of the digest (sha256 with 64 hex digits)
Ollama does not validate the format of the digest (sha256 with 64 hex digits)
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial `../` substring.
GHSA
Ollama does not validate the format of the digest (sha256 with 64 hex digits)
ghsa·2024-05-31
CVE-2024-37032 [MEDIUM] Ollama does not validate the format of the digest (sha256 with 64 hex digits)
Ollama does not validate the format of the digest (sha256 with 64 hex digits)
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial `../` substring.
VulnCheck
Ollama Model Path Remote Code Execution Vulnerability
vulncheck·2024·CVSS 8.8
CVE-2024-37032 [HIGH] Ollama Model Path Remote Code Execution Vulnerability
Ollama Model Path Remote Code Execution Vulnerability
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
Affected: Ollama Ollama
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-08-22&host_type=src&vulnerability=cve-2024-37032; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-08-25&host_type=src&vulnerability=cve-2024-37032; https://da
No detection rules found.
Nuclei
Ollama - Remote Code Execution
nuclei·CVSS 8.8
CVE-2024-37032 [HIGH] Ollama - Remote Code Execution
Ollama - Remote Code Execution
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
Template:
id: CVE-2024-37032
info:
name: Ollama - Remote Code Execution
author: kaks3c
severity: critical
description: |
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
impact: |
Attackers can exploit improper digest validation to achieve remote code execution on Ollama servers.
remediation
Metasploit
Ollama Model Registry Path Traversal RCE
metasploit·CVSS 8.8
CVE-2024-37032 [HIGH] Ollama Model Registry Path Traversal RCE
Ollama Model Registry Path Traversal RCE
Ollama before 0.1.34 is vulnerable to a path traversal attack via the model pull mechanism (CVE-2024-37032). When pulling a model, the digest field in OCI manifests is not validated, allowing an attacker to inject path traversal sequences to write arbitrary files on the server. This module starts a rogue OCI registry that serves two models. The first pull writes a malicious shared library and /etc/ld.so.preload via path traversal (a sacrificial first layer absorbs the digest verification failure so the remaining files persist). The second pull registers a valid model so /api/chat can spawn the llama.cpp runner process, which triggers the dynamic linker to load the malicious library via ld.so.preload. The library constructor forks, cleans up ld.so.p
Rapid7
Metasploit Wrap-Up 02/27/2026
blogs_rapid7·2026-02-27·CVSS 8.8
CVE-2024-37032 [HIGH] Metasploit Wrap-Up 02/27/2026
## No Prob-ollama
This release brings some serious firepower with multiple new exploit modules and critical vulnerability support! The standout additions are the Ollama path traversal RCE (CVE-2024-37032), a sophisticated exploit chaining arbitrary file writes into unauthenticated root RCE, and the Grandstream GXP1600 stack overflow (CVE-2026-2329), which targets VoIP devices with accompanying credential harvesting and SIP interception post-modules.
The BeyondTrust PRA/RS module got upgraded with support for the new CVE-2026-1731 command injection vulnerability along with legacy CVE support. On the evasion front, there's fresh ARM64 RC4 encryption support with sleep-based detection bypass. Classic vulnerability modules like Unreal IRCd and vsftpd backdoors got quality-of-life improvement
Wiz
Secure Code Scanning: Basics & Best Practices | Wiz
blogs_wiz·2025-07-01
Secure Code Scanning: Basics & Best Practices | Wiz
## What is secure code scanning?
Secure code scanning (also known as secure code review) is the practice of assessing code for potential security flaws and code quality problems. It involves the use of specialized tools and techniques to identify and resolve code smells, errors, bugs, vulnerabilities, hardcoded secrets and data privacy risks in first-party code, third-party libraries, container images, and public repositories.
Just as grammar-checking tools help rid your documents of spelling and grammar errors, code scanners detect potential vulnerabilities and inefficiencies in your code, ensuring that only quality, trusted code gets shipped to production.
In this article, we’ll explore the step-by-step process of code scanning, its benefits, approaches, and best practices.
###### Wa
Wiz
Secure Code Scanning: Basics & Best Practices | Wiz
blogs_wiz·2025-07-01
Secure Code Scanning: Basics & Best Practices | Wiz
## What is secure code scanning?
Secure code scanning (also known as secure code review) is the practice of assessing code for potential security flaws and code quality problems. It involves the use of specialized tools and techniques to identify and resolve code smells, errors, bugs, vulnerabilities, hardcoded secrets and data privacy risks in first-party code, third-party libraries, container images, and public repositories.
Just as grammar-checking tools help rid your documents of spelling and grammar errors, code scanners detect potential vulnerabilities and inefficiencies in your code, ensuring that only quality, trusted code gets shipped to production.
In this article, we’ll explore the step-by-step process of code scanning, its benefits, approaches, and best practices.
## Watch
Wiz
A Signature Verification Bypass in Nuclei (CVE-2024-43405) | Wiz Blog
blogs_wiz·2025-01-03·CVSS 7.4
[HIGH] A Signature Verification Bypass in Nuclei (CVE-2024-43405) | Wiz Blog
In our continuous effort to enhance cybersecurity, Wiz engineering team has identified and helped mitigate a significant vulnerability in Nuclei , a widely-used open-source security tool by ProjectDiscovery. This reflects our dedication to fortifying the entire security ecosystem, including the tools we and many others rely on.
Nuclei, with over 21,000 stars on GitHub and an impressive 2.1 million downloads , has become a cornerstone in many organizations' security stacks, including our own at Wiz. Its popularity stems from its flexibility and efficiency in detecting vulnerabilities across various digital assets. This widespread adoption underscores the critical role Nuclei plays in the security community, making it essential to proactively identify and address any potential vulnerabiliti
Wiz
A Signature Verification Bypass in Nuclei (CVE-2024-43405) | Wiz Blog
blogs_wiz·2025-01-03·CVSS 7.4
[HIGH] A Signature Verification Bypass in Nuclei (CVE-2024-43405) | Wiz Blog
In our continuous effort to enhance cybersecurity, Wiz engineering team has identified and helped mitigate a significant vulnerability in Nuclei, a widely-used open-source security tool by ProjectDiscovery. This reflects our dedication to fortifying the entire security ecosystem, including the tools we and many others rely on.
Nuclei, with over 21,000 stars on GitHub and an impressive 2.1 million downloads, has become a cornerstone in many organizations' security stacks, including our own at Wiz. Its popularity stems from its flexibility and efficiency in detecting vulnerabilities across various digital assets. This widespread adoption underscores the critical role Nuclei plays in the security community, making it essential to proactively identify and address any potential vulnerabilities
Trendmicro
The Road to Agentic AI: Exposed Foundations
blogs_trendmicro·2024-12-04
The Road to Agentic AI: Exposed Foundations
Artificial Intelligence (AI)
# The Road to Agentic AI: Exposed Foundations
Our research into Retrieval Augmented Generation (RAG) systems uncovered at least 80 unprotected servers. We highlight this problem, which can lead to potential data loss and unauthorized access.
By: Morton Swimmer, Philippe Lin, Vincenzo Ciancaglini, Marco Balduzzi, Stephen Hilt
2024/12/04
Read time: ( words)
Save to Folio
Report highlights:
- Retrieval augmented generation (RAG) enables enterprises to build customized, efficient, and cost-effective applications based on private data. However, research reveals significant security risks, such as exposed vector stores and LLM-hosting platforms, which can lead to data leaks, unauthorized access, and potential system manipulation if not properly secured.
- Secu
Checkpoint
1st July – Threat Intelligence Report
blogs_checkpoint·2024-07-01
CVE-2024-5805 1st July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 1st July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 1st July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The BlackSuit ransomware group has hit South Africa’s National Health Laboratory Service (NHLS), disrupting lab result dissemination amid a Mpox outbreak. The actors have deleted system sections, including backups, forcing manual result communication. Despite the attack, labs continue processing samples, but system restoration ti
Wiz
Probllama: Ollama Remote Code Execution Vulnerability (CVE-2024-37032) – Overview and Mitigations | Wiz Blog
blogs_wiz·2024-06-24·CVSS 8.8
CVE-2024-37032 [HIGH] Probllama: Ollama Remote Code Execution Vulnerability (CVE-2024-37032) – Overview and Mitigations | Wiz Blog
# Introduction & Overview
Ollama is one of the most popular open-source projects for running AI Models, with over 70k stars on GitHub and hundreds of thousands of monthly pulls on Docker Hub. Inspired by Docker, Ollama aims to simplify the process of packaging and deploying AI models.
Wiz Research discovered an easy-to-exploit Remote Code Execution vulnerability in Ollama: CVE-2024-37032, dubbed “Probllama.” This security issue was responsibly disclosed to Ollama’s maintainers and has since been mitigated. Ollama users are encouraged to upgrade their Ollama installation to version 0.1.34 or newer.
Our research indicates that, as of June 10, there are a large number of Ollama instances running a vulnerable version that are exposed to the internet. In this blog post, we will detail what w
Wiz
Probllama: Ollama Remote Code Execution Vulnerability (CVE-2024-37032) – Overview and Mitigations | Wiz Blog
blogs_wiz·2024-06-24·CVSS 8.8
CVE-2024-37032 [HIGH] Probllama: Ollama Remote Code Execution Vulnerability (CVE-2024-37032) – Overview and Mitigations | Wiz Blog
## Introduction & Overview
Ollama is one of the most popular open-source projects for running AI Models, with over 70k stars on GitHub and hundreds of thousands of monthly pulls on Docker Hub . Inspired by Docker, Ollama aims to simplify the process of packaging and deploying AI models.
Wiz Research discovered an easy-to-exploit Remote Code Execution vulnerability in Ollama: CVE-2024-37032, dubbed “Probllama.” This security issue was responsibly disclosed to Ollama’s maintainers and has since been mitigated. Ollama users are encouraged to upgrade their Ollama installation to version 0.1.34 or newer.
Our research indicates that, as of June 10, there are a large number of Ollama instances running a vulnerable version that are exposed to the internet. In this blog post, we will detail what
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
arxiv_fulltext·2026-03-02
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
## Abstract
Large language models (LLMs) are increasingly being deployed as software engineering agents that autonomously contribute to repositories. A major benefit these agents present is their ability to find and patch security vulnerabilities in the codebases they oversee. To estimate the capability of agents in this domain, we introduce ZeroDayBench, a benchmark where LLM agents find and patch 22 novel critical vulnerabilities in open-source codebases. We focus our efforts on three popular frontier agentic LLMs: GPT-5.2, Claude Sonnet 4.5, and Grok 4.1. We find that frontier LLMs are not yet capable of autonomously solving our tasks and observe some behavioral patterns that suggest how these models can be improved in the domain of proactive cyberdefense.
## Introduction
Large langu
arXiv
From LLMs to Agents: A Comparative Evaluation of LLMs and LLM-based Agents in Security Patch Detection
arxiv_fulltext·2025-11-11
From LLMs to Agents: A Comparative Evaluation of LLMs and LLM-based Agents in Security Patch Detection
From LLMs to Agents: A Comparative Evaluation of LLMs and LLM-based Agents in Security Patch Detection
Junxiao Han, Zheng Yu, Lingfeng Bao, Jiakun Liu, Yao Wan, Jianwei Yin, Shuiguang Deng, and Song Han
Junxiao Han, Zheng Yu, and Song Han are with the School of Computer and Computing Science, Hangzhou City University, Hangzhou 310015, China. E-mail: [email protected], [email protected], and [email protected]
Lingfeng Bao is with the State Key Laboratory of Blockchain and Data Security, Zhejiang University, Hangzhou 310027, China. E-mail: [email protected]
Jiakun Liu is with the Faculty of Computing, Harbin Institute of Technology, Harbin 150001, China. E-mail: [email protected]
Yao Wan is with the College of Computer Science and Technology, Huazhong University of Science and T
arXiv
Unveiling the Landscape of LLM Deployment in the Wild: An Empirical Study
arxiv_fulltext·2025-08-26
Unveiling the Landscape of LLM Deployment in the Wild: An Empirical Study
Unveiling the Landscape of LLM Deployment in the Wild: An Empirical Study
Xinyi Hou1, Jiahao Han1, Yanjie Zhao, Haoyu Wang2
Huazhong University of Science and Technology, Wuhan, China
[email protected], [email protected], [email protected], [email protected]
1Xinyi Hou and Jiahao Han contributed equally to this work.
2Haoyu Wang is the corresponding author ([email protected]).
## Abstract
Large language models (LLMs) are increasingly deployed through open-source and commercial frameworks, enabling individuals and organizations to self-host advanced LLM capabilities. As LLM deployments become prevalent, particularly in industry, ensuring their secure and reliable operation has become a critical issue. However, insecure defaults and misconfigurations often expose L
CWE
Improper Input Validation
mitre_cwe
CWE-20 Improper Input Validation
CWE-20: Improper Input Validation
The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
Input validation is a frequently-used technique
for checking potentially dangerous inputs in order to
ensure that the inputs are safe for processing within the
code, or when communicating with other components. Input can consist of: raw data - strings, numbers, parameters, file contents, etc. metadata - information about the raw data, such as headers or size Data can be simple or structured. Structured data
can be composed of many nested layers, composed of
combinations of metadata and raw data, with other simple or
structured data. Many properties of raw data or metadata may n
CWE
Improper Validation of Specified Type of Input
mitre_cwe·CVSS 8.8
[HIGH] CWE-1287 Improper Validation of Specified Type of Input
CWE-1287: Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
When input does not comply with the expected type, attackers could trigger unexpected errors, cause incorrect actions to take place, or exploit latent vulnerabilities that would not be possible if the input conformed with the expected type. This weakness can appear in type-unsafe programming languages, or in programming languages that support casting or conversion of an input to another type.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Other. Impact: Varies by Context.
Potential Mitigations:
[Implementation] Assume all input is malicio
CWE
Relative Path Traversal
mitre_cwe
CWE-23 Relative Path Traversal
CWE-23: Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity, Confidentiality, Availability. Impact: Execute Unauthorized Code or Commands. The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
Scope: Integrity. Impact: Modify Files or Directories. The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able
CWE
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
mitre_cwe
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is inte
https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34https://github.com/ollama/ollama/pull/4175https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34https://github.com/ollama/ollama/pull/4175https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032
2024-05-31
Published
Exploited in the wild