AI Threat Alert AI Threat Alert

CVE-2024-28224: Ollama: DNS rebinding exposes LLM API to remote access

MEDIUM PoC AVAILABLE
Published April 8, 2024
CISO Take

DNS rebinding lets any website a developer visits bypass same-origin policy and reach the local Ollama inference API without authentication. An attacker gains full control: model enumeration, arbitrary inference, model deletion, and resource exhaustion. Patch to 0.1.29+ immediately and enforce localhost-only binding on all Ollama deployments.

Risk Assessment

CVSS 6.6 understates real-world risk for organizations with developers running Ollama locally. DNS rebinding is a well-documented, tooled technique (Singularity, rebind.network) requiring no AI expertise. The absence of authentication in default Ollama deployments means any successful rebind yields complete API control. Developer laptops and internal lab servers are the primary exposure surface—often outside EDR visibility and rarely patched promptly.

Affected Systems

Package Ecosystem Vulnerable Range Patched
ollama pip No patch
170.6K 1.4K dependents Pushed 6d ago 5% patched ~0d to patch Full package profile →

Do you use ollama? You're affected.

Severity & Risk

CVSS 3.1
6.6 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 41% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C Low
I Low
A High

Recommended Action

6 steps

  1. Upgrade Ollama to 0.1.29+ immediately.

  2. Explicitly bind Ollama to 127.0.0.1—never 0.0.0.0 in dev or lab environments.

  3. Block port 11434 at the host firewall; confirm rule applies to VPN/split-tunnel interfaces.

  4. If remote API access is required, front with a reverse proxy enforcing authentication (nginx + mTLS or basic auth over TLS).

  5. Add detection: alert on model deletion events, inference request spikes, and API access from non-localhost IPs in Ollama logs.

  6. Include Ollama version in asset inventory for patch compliance tracking.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass DoS Data Extraction Inference API Model AML.T0029 AML.T0034 AML.T0040 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.4 - AI system security
NIST AI RMF
MEASURE 2.7 - AI system security and resilience evaluation
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2024-28224?

DNS rebinding lets any website a developer visits bypass same-origin policy and reach the local Ollama inference API without authentication. An attacker gains full control: model enumeration, arbitrary inference, model deletion, and resource exhaustion. Patch to 0.1.29+ immediately and enforce localhost-only binding on all Ollama deployments.

Is CVE-2024-28224 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-28224, increasing the risk of exploitation.

How to fix CVE-2024-28224?

1. Upgrade Ollama to 0.1.29+ immediately. 2. Explicitly bind Ollama to 127.0.0.1—never 0.0.0.0 in dev or lab environments. 3. Block port 11434 at the host firewall; confirm rule applies to VPN/split-tunnel interfaces. 4. If remote API access is required, front with a reverse proxy enforcing authentication (nginx + mTLS or basic auth over TLS). 5. Add detection: alert on model deletion events, inference request spikes, and API access from non-localhost IPs in Ollama logs. 6. Include Ollama version in asset inventory for patch compliance tracking.

What systems are affected by CVE-2024-28224?

This vulnerability affects the following AI/ML architecture patterns: local LLM deployment, model serving, agent frameworks, RAG pipelines.

What is the CVSS score for CVE-2024-28224?

CVE-2024-28224 has a CVSS v3.1 base score of 6.6 (MEDIUM). The EPSS exploitation probability is 0.19%.

Technical Details

NVD Description

Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).

Exploitation Scenario

Attacker registers a domain with near-zero TTL DNS records. Developer with Ollama running on port 11434 visits a malicious webpage (phishing link, ad, or compromised site). Page loads from attacker's server; DNS record is then rebinded to 127.0.0.1. Subsequent JavaScript fetch() calls succeed against the local Ollama API due to browser same-origin policy failure. Attacker enumerates installed models, sends inference requests to extract system prompts or proprietary fine-tuned model behavior, deletes models to disrupt CI/CD pipelines using local LLM evaluation, or spawns dozens of parallel inference requests to exhaust GPU VRAM—causing a crash in any agent framework or RAG pipeline running on that machine.

Weaknesses (CWE)

CWE-346

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

References

Timeline

Published
April 8, 2024
Last Modified
May 13, 2025
First Seen
April 8, 2024

Related Vulnerabilities

CRITICAL CVE-2025-63389 9.8

ollama: Missing Auth allows unauthenticated access

Same package: ollama
CRITICAL CVE-2026-44007 9.1

vm2: sandbox escape via nesting:true enables RCE

Same package: ollama
CRITICAL CVE-2026-7482 9.1

Ollama: heap OOB read leaks API keys and chat data

Same package: ollama
HIGH CVE-2024-37032 8.8

Ollama: path traversal enables RCE via model blob API

Same package: ollama
HIGH CVE-2024-39720 8.2

Ollama: OOB read in GGUF parser enables remote DoS

Same package: ollama
Back to Threat Feed