CVE-2024-39719 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Unauthenticated attackers can enumerate any file path on Ollama servers by probing the api/create endpoint — confirmed by distinct error messages. This turns into a reconnaissance primitive for locating credentials, model weights, and configs before follow-on attacks. Immediately restrict the api/create endpoint to authenticated, internal traffic and upgrade past 0.3.14 when a patch ships.

Risk Assessment

Practical risk is medium-high despite the 'information disclosure' label. Thousands of Ollama instances are internet-exposed (Shodan-indexed), and the endpoint requires zero credentials and zero complexity. File enumeration enables attackers to map the filesystem for credential files, API keys, or custom model paths — dramatically lowering the cost of follow-on compromise. Organizations running Ollama in containerized AI stacks or on shared inference hosts face elevated exposure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ollama	pip	—	No patch
171.1K 1.5K dependents Pushed today 4% patched ~0d to patch Full package profile →

Do you use ollama? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

44.5%

chance of exploitation in 30 days

Higher than 98% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 45%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

Upgrade Ollama to a version > 0.3.14 when a patched release is available.
Immediately place Ollama behind an authenticated reverse proxy (nginx, Caddy, Traefik) — never expose it directly to the internet or untrusted networks.
Block or restrict the /api/create endpoint at the network perimeter for environments where model creation is not required.
Audit firewall/cloud security group rules — Ollama binds to 0.0.0.0:11434 by default.
Monitor access logs for high-volume or systematic requests to /api/create with varied path parameters.
Rotate any credentials stored in paths that may have been probed if exposure is confirmed.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Privacy Violation Inference API AML.T0006 - Active Scanning AML.T0007 - Discover AI Artifacts AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - Logging and monitoring of AI systems

NIST AI RMF

MEASURE 2.5 - Privacy risks enumerated in risk or impact assessment

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-39719?

Unauthenticated attackers can enumerate any file path on Ollama servers by probing the api/create endpoint — confirmed by distinct error messages. This turns into a reconnaissance primitive for locating credentials, model weights, and configs before follow-on attacks. Immediately restrict the api/create endpoint to authenticated, internal traffic and upgrade past 0.3.14 when a patch ships.

Is CVE-2024-39719 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-39719, increasing the risk of exploitation.

How to fix CVE-2024-39719?

1. Upgrade Ollama to a version > 0.3.14 when a patched release is available. 2. Immediately place Ollama behind an authenticated reverse proxy (nginx, Caddy, Traefik) — never expose it directly to the internet or untrusted networks. 3. Block or restrict the /api/create endpoint at the network perimeter for environments where model creation is not required. 4. Audit firewall/cloud security group rules — Ollama binds to 0.0.0.0:11434 by default. 5. Monitor access logs for high-volume or systematic requests to /api/create with varied path parameters. 6. Rotate any credentials stored in paths that may have been probed if exposure is confirmed.

What systems are affected by CVE-2024-39719?

This vulnerability affects the following AI/ML architecture patterns: model serving, local LLM inference, self-hosted AI infrastructure, containerized AI stacks.

What is the CVSS score for CVE-2024-39719?

CVE-2024-39719 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 44.51%.

Technical Details

NVD Description

An issue was discovered in Ollama through 0.3.14. File existence disclosure can occur via api/create. When calling the CreateModel route with a path parameter that does not exist, it reflects the "File does not exist" error message to the attacker, providing a primitive for file existence on the server.

Exploitation Scenario

An attacker discovers an internet-facing Ollama instance via Shodan (query: 'port:11434 ollama'). They script a loop sending POST requests to /api/create with a 'path' field cycling through known sensitive paths: /root/.ssh/id_rsa, /etc/passwd, /root/.ollama/config.json, /home/user/.aws/credentials, /app/.env. The distinct 'File does not exist' error vs. a model-creation attempt error confirms which files are present on the host. With this map, the attacker crafts a targeted follow-on attack using a separate path traversal or SSRF vulnerability to exfiltrate the confirmed files.