CVE-2024-39721 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any Ollama instance with the model creation API network-accessible is vulnerable to unauthenticated denial of service with a single HTTP request. An attacker sets path=/dev/random to hang goroutines indefinitely; repeated requests exhaust the Go runtime and crash the inference service. Patch to Ollama 0.1.34+ immediately and bind the API to localhost behind an authenticated reverse proxy.

Risk Assessment

High risk for teams running Ollama as a shared inference service or in any configuration where port 11434 is reachable by untrusted clients. Ollama ships with no authentication by default, meaning exposure is widespread in practice. The attack requires zero credentials, zero AI/ML knowledge, and is automatable with a trivial shell script. The availability impact is total: the inference layer goes down, taking all dependent AI workflows with it.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ollama	pip	—	No patch
170.6K 1.4K dependents Pushed 6d ago 5% patched ~0d to patch Full package profile →

Do you use ollama? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 49% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

Patch: Upgrade Ollama to 0.1.34 or later immediately — this is the only complete fix.
Network isolation: Bind Ollama to localhost (OLLAMA_HOST=127.0.0.1) and never expose port 11434 to untrusted networks.
Authenticated proxy: If multi-user access is required, place Ollama behind nginx/Caddy with authentication.
Firewall: Apply ingress rules restricting Ollama API access to authorized internal IPs only.
Detection: Alert on HTTP POST requests to /api/create containing non-standard path values (especially /dev/*). Monitor goroutine count and memory metrics for the Ollama process — anomalous growth indicates active exploitation.
Rate limiting: Apply request rate limits on the /api/create endpoint as a short-term workaround before patching.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Inference API Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.7.4 - AI System Operation and Monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms for AI Risk Response

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-39721?

Any Ollama instance with the model creation API network-accessible is vulnerable to unauthenticated denial of service with a single HTTP request. An attacker sets path=/dev/random to hang goroutines indefinitely; repeated requests exhaust the Go runtime and crash the inference service. Patch to Ollama 0.1.34+ immediately and bind the API to localhost behind an authenticated reverse proxy.

Is CVE-2024-39721 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-39721, increasing the risk of exploitation.

How to fix CVE-2024-39721?

1. Patch: Upgrade Ollama to 0.1.34 or later immediately — this is the only complete fix. 2. Network isolation: Bind Ollama to localhost (OLLAMA_HOST=127.0.0.1) and never expose port 11434 to untrusted networks. 3. Authenticated proxy: If multi-user access is required, place Ollama behind nginx/Caddy with authentication. 4. Firewall: Apply ingress rules restricting Ollama API access to authorized internal IPs only. 5. Detection: Alert on HTTP POST requests to /api/create containing non-standard path values (especially /dev/*). Monitor goroutine count and memory metrics for the Ollama process — anomalous growth indicates active exploitation. 6. Rate limiting: Apply request rate limits on the /api/create endpoint as a short-term workaround before patching.

What systems are affected by CVE-2024-39721?

This vulnerability affects the following AI/ML architecture patterns: model serving, LLM inference endpoints, agent frameworks, local AI development environments, RAG pipelines.

What is the CVSS score for CVE-2024-39721?

CVE-2024-39721 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.26%.

Technical Details

NVD Description

An issue was discovered in Ollama before 0.1.34. The CreateModelHandler function uses os.Open to read a file until completion. The req.Path parameter is user-controlled and can be set to /dev/random, which is blocking, causing the goroutine to run infinitely (even after the HTTP request is aborted by the client).

Exploitation Scenario

An adversary scans an AI team's internal network and discovers an exposed Ollama instance on port 11434 — common in dev environments where Ollama was installed with defaults. They send repeated unauthenticated POST requests to /api/create with the body {"name": "x", "path": "/dev/random"}. Each request spawns a goroutine that blocks indefinitely reading from the kernel entropy pool. After dozens of requests, Go's runtime is overwhelmed with blocked goroutines, memory is exhausted, and the Ollama process crashes or becomes unresponsive. All LLM-dependent services — agent orchestrators, internal chatbots, RAG pipelines — lose their inference backend simultaneously. The entire attack fits in a 5-line curl loop.