CVE-2024-37032

Published May 31, 2024

Last updated a year ago

CVSS high 8.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-37032 is a path traversal vulnerability affecting Ollama, an open-source framework designed for running large language models (LLMs) locally. This flaw, also known as "Probllama," exists in Ollama versions prior to 0.1.34. The vulnerability arises because Ollama fails to adequately validate the format of the "digest" parameter when it resolves model paths. This lack of validation allows an attacker to inject malicious path traversal sequences, such as `../`, into the digest value. By doing so, an attacker can escape the intended directories and manipulate file paths. This can lead to arbitrary file writes on the system, and in certain configurations, it can be exploited to achieve remote code execution.

Description
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
Source
cve@mitre.org
NVD status
Analyzed
Products
ollama

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-22

Social media

Hype score
Not currently trending

  1. ペネトレーションテストツールのMetasploitが更新。Linux向けRC4パッカー、OllamaのCVE-2024-37032、BeyondTrustのCVE-2026-1731、GrandstreamのCVE-2026-2329に対応する攻撃コード、Windows向け永続化の追加。 https://t.co/GiidCAOHcs

    @__kokumoto

    28 Feb 2026

    1962 Impressions

    5 Retweets

    36 Likes

    13 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Metasploit Update Drops Linux RC4 Evasion + New RCE Exploits for Ollama, BeyondTrust, and VoIP Rapid7’s Feb 27 Metasploit release adds new exploit modules for high-severity RCE issues (including Ollama CVE-2024-37032, BeyondTrust PRA/RS CVE-2026-1731, and Grandstream GXP16

    @ThreatSynop

    28 Feb 2026

    70 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Ollama RCE Exploit: How #CVE-2024-37032 Bypasses Authentication to Hack #AI Servers + Video https://t.co/bDWrtoAvmF Educational Purposes!

    @UndercodeUpdate

    14 Feb 2026

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Threat Alert: Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the CVE-2024-43405 CVE-2024-37032 Severity: 🟡 Medium Maturity: 💢 Emerging Learn more: https://t.co/AS7I7AgI8k #CyberSecurity #ThreatIntel #InfoSec

    @fletch_ai

    4 Jan 2025

    17 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed).CVE-2026-7482
  2. Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory. An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables. Critically, when chained with CVE‑2026‑42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.CVE-2026-42249
  3. Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike other platforms, the Windows implementation of the update verification routine unconditionally returns success so no digital signature or trust validation is performed before staging or executing update payloads, enabling attacker‑supplied executables to be accepted and later executed by the application. Critically, Ollama for Windows performs silent automatic updates, so the malicious payload may be installed automatically without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.CVE-2026-42248
  4. A security flaw has been discovered in Ollama up to 0.20.2. This affects the function digestToPath of the file x/imagegen/transfer/transfer.go of the component Tensor Model Transfer Handler. The manipulation of the argument digest results in path traversal. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.CVE-2026-7020
  5. An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadataCVE-2025-66960

References

Sources include official advisories and independent security research.