AI Threat Alert

CVE-2024-39721: Ollama: DoS via /dev/random causes goroutine exhaustion

HIGH PoC AVAILABLE CISA: TRACK*
Published October 31, 2024
CISO Take

Any Ollama instance with the model creation API network-accessible is vulnerable to unauthenticated denial of service with a single HTTP request. An attacker sets path=/dev/random to hang goroutines indefinitely; repeated requests exhaust the Go runtime and crash the inference service. Patch to Ollama 0.1.34+ immediately and bind the API to localhost behind an authenticated reverse proxy.

What is the risk?

High risk for teams running Ollama as a shared inference service or in any configuration where port 11434 is reachable by untrusted clients. Ollama ships with no authentication by default, meaning exposure is widespread in practice. The attack requires zero credentials, zero AI/ML knowledge, and is automatable with a trivial shell script. The availability impact is total: the inference layer goes down, taking all dependent AI workflows with it.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Ollama pip No patch
174.6K 1.6K dependents Pushed 3d ago 12% patched ~0d to patch Full package profile →

Do you use Ollama? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
2.7%
chance of exploitation in 30 days
Higher than 84% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

6 steps

  1. Patch: Upgrade Ollama to 0.1.34 or later immediately — this is the only complete fix.

  2. Network isolation: Bind Ollama to localhost (OLLAMA_HOST=127.0.0.1) and never expose port 11434 to untrusted networks.

  3. Authenticated proxy: If multi-user access is required, place Ollama behind nginx/Caddy with authentication.

  4. Firewall: Apply ingress rules restricting Ollama API access to authorized internal IPs only.

  5. Detection: Alert on HTTP POST requests to /api/create containing non-standard path values (especially /dev/*). Monitor goroutine count and memory metrics for the Ollama process — anomalous growth indicates active exploitation.

  6. Rate limiting: Apply request rate limits on the /api/create endpoint as a short-term workaround before patching.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Inference API Framework AML.T0029 AML.T0034 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.7.4 - AI System Operation and Monitoring
NIST AI RMF
MANAGE-2.2 - Mechanisms for AI Risk Response
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-39721?

Any Ollama instance with the model creation API network-accessible is vulnerable to unauthenticated denial of service with a single HTTP request. An attacker sets path=/dev/random to hang goroutines indefinitely; repeated requests exhaust the Go runtime and crash the inference service. Patch to Ollama 0.1.34+ immediately and bind the API to localhost behind an authenticated reverse proxy.

Is CVE-2024-39721 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-39721, increasing the risk of exploitation.

How to fix CVE-2024-39721?

1. Patch: Upgrade Ollama to 0.1.34 or later immediately — this is the only complete fix. 2. Network isolation: Bind Ollama to localhost (OLLAMA_HOST=127.0.0.1) and never expose port 11434 to untrusted networks. 3. Authenticated proxy: If multi-user access is required, place Ollama behind nginx/Caddy with authentication. 4. Firewall: Apply ingress rules restricting Ollama API access to authorized internal IPs only. 5. Detection: Alert on HTTP POST requests to /api/create containing non-standard path values (especially /dev/*). Monitor goroutine count and memory metrics for the Ollama process — anomalous growth indicates active exploitation. 6. Rate limiting: Apply request rate limits on the /api/create endpoint as a short-term workaround before patching.

What systems are affected by CVE-2024-39721?

This vulnerability affects the following AI/ML architecture patterns: model serving, LLM inference endpoints, agent frameworks, local AI development environments, RAG pipelines.

What is the CVSS score for CVE-2024-39721?

CVE-2024-39721 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 2.68%.

What is the AI security impact?

Affected AI Architectures

model servingLLM inference endpointsagent frameworkslocal AI development environmentsRAG pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.7.4
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

An issue was discovered in Ollama before 0.1.34. The CreateModelHandler function uses os.Open to read a file until completion. The req.Path parameter is user-controlled and can be set to /dev/random, which is blocking, causing the goroutine to run infinitely (even after the HTTP request is aborted by the client).

Exploitation Scenario

An adversary scans an AI team's internal network and discovers an exposed Ollama instance on port 11434 — common in dev environments where Ollama was installed with defaults. They send repeated unauthenticated POST requests to /api/create with the body {"name": "x", "path": "/dev/random"}. Each request spawns a goroutine that blocks indefinitely reading from the kernel entropy pool. After dozens of requests, Go's runtime is overwhelmed with blocked goroutines, memory is exhausted, and the Ollama process crashes or becomes unresponsive. All LLM-dependent services — agent orchestrators, internal chatbots, RAG pipelines — lose their inference backend simultaneously. The entire attack fits in a 5-line curl loop.

Weaknesses (CWE)

CWE-404 Improper Resource Shutdown or Release

CWE-404 — Improper Resource Shutdown or Release: The product does not release or incorrectly releases a resource before it is made available for re-use.

  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
  • [Implementation] It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
October 31, 2024
Last Modified
May 13, 2025
First Seen
October 31, 2024

Related Vulnerabilities

CRITICAL CVE-2026-46339 10.0

9router: unauthenticated RCE exposes LLM API keys

Same package: ollama
CRITICAL CVE-2026-42248 9.8

Ollama: silent auto-update bypasses signature check on Windows

Same package: ollama
CRITICAL CVE-2025-63389 9.8

ollama: Missing Auth allows unauthenticated access

Same package: ollama
CRITICAL CVE-2026-42249 9.8

Ollama: path traversal + unsigned update = silent RCE

Same package: ollama
CRITICAL CVE-2026-7482 9.1

Ollama: heap OOB read leaks API keys and chat data

Same package: ollama
Back to Threat Feed