AI Threat Alert

CVE-2024-39722: Ollama: path traversal exposes server filesystem

HIGH PoC AVAILABLE CISA: TRACK*
Published October 31, 2024
CISO Take

Any unauthenticated attacker with network access to an Ollama instance can enumerate files on the host server via a crafted api/push request — no credentials or user interaction required. If Ollama is internet-facing or accessible from untrusted networks, treat this as an active risk: patch to 0.1.46+ immediately and audit firewall rules. The file disclosure can accelerate lateral movement by revealing config paths, credential files, and model locations.

What is the risk?

HIGH. The CVSS 7.5 score reflects the reality: zero authentication, zero complexity, full network reach. The primary risk amplifier is deployment posture — Ollama instances exposed beyond localhost (cloud VMs with open ports, developer machines on shared networks) are directly exploitable. File existence probing alone can map sensitive paths (.env, API keys, SSH configs) to support follow-on attacks. EPSS data unavailable but exploitation tooling is trivial to build from the public Oligo advisory.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Ollama pip No patch
174.6K 1.6K dependents Pushed 3d ago 12% patched ~0d to patch Full package profile →

Do you use Ollama? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
3.9%
chance of exploitation in 30 days
Higher than 89% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps

  1. PATCH

    Upgrade Ollama to 0.1.46 or later — this is the only definitive fix.

  2. NETWORK

    Restrict Ollama API port (default 11434) to localhost or trusted internal subnets via firewall rules. Ollama should never be internet-facing without a reverse proxy with authentication.

  3. DETECT

    Review access logs for api/push requests containing path traversal sequences (../, %2e%2e%2f, encoded variants). Alert on unexpected file paths in push payloads.

  4. HARDEN

    Run Ollama under a dedicated low-privilege user account with a restricted filesystem view (chroot or container with minimal bind mounts).

  5. AUDIT

    If Ollama was exposed, assume server file paths have been enumerated — rotate any secrets stored in discoverable locations.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Inference API AML.T0006 AML.T0007 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.2 - AI system security controls — operational security
NIST AI RMF
MANAGE-2.2 - Mechanisms to detect and respond to AI risks
OWASP LLM Top 10
LLM06:2025 - Excessive Agency / Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-39722?

Any unauthenticated attacker with network access to an Ollama instance can enumerate files on the host server via a crafted api/push request — no credentials or user interaction required. If Ollama is internet-facing or accessible from untrusted networks, treat this as an active risk: patch to 0.1.46+ immediately and audit firewall rules. The file disclosure can accelerate lateral movement by revealing config paths, credential files, and model locations.

Is CVE-2024-39722 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-39722, increasing the risk of exploitation.

How to fix CVE-2024-39722?

1. PATCH: Upgrade Ollama to 0.1.46 or later — this is the only definitive fix. 2. NETWORK: Restrict Ollama API port (default 11434) to localhost or trusted internal subnets via firewall rules. Ollama should never be internet-facing without a reverse proxy with authentication. 3. DETECT: Review access logs for api/push requests containing path traversal sequences (../, %2e%2e%2f, encoded variants). Alert on unexpected file paths in push payloads. 4. HARDEN: Run Ollama under a dedicated low-privilege user account with a restricted filesystem view (chroot or container with minimal bind mounts). 5. AUDIT: If Ollama was exposed, assume server file paths have been enumerated — rotate any secrets stored in discoverable locations.

What systems are affected by CVE-2024-39722?

This vulnerability affects the following AI/ML architecture patterns: LLM inference serving, model serving, agent frameworks, local AI development environments.

What is the CVSS score for CVE-2024-39722?

CVE-2024-39722 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 3.94%.

What is the AI security impact?

Affected AI Architectures

LLM inference servingmodel servingagent frameworkslocal AI development environments

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0007 Discover AI Artifacts
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: A.9.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

An issue was discovered in Ollama before 0.1.46. It exposes which files exist on the server on which it is deployed via path traversal in the api/push route.

Exploitation Scenario

An adversary scanning for exposed AI inference endpoints identifies an Ollama instance on port 11434. Using the public Oligo research as a guide, they send crafted POST requests to /api/push with path traversal sequences in model name or file reference fields. By iterating common paths (/etc/passwd, /home/user/.env, /root/.aws/credentials, /app/config.yaml), they confirm which sensitive files exist on the host. This reconnaissance map is used to craft targeted exploitation — for example, if an .env file is confirmed present, they pivot to a second vulnerability or misconfiguration to read it. In AI environments where Ollama co-exists with LangChain apps or vector databases, the disclosed paths can reveal the full stack architecture for a chained attack.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
October 31, 2024
Last Modified
May 13, 2025
First Seen
October 31, 2024

Related Vulnerabilities

CRITICAL CVE-2026-46339 10.0

9router: unauthenticated RCE exposes LLM API keys

Same package: ollama
CRITICAL CVE-2026-42248 9.8

Ollama: silent auto-update bypasses signature check on Windows

Same package: ollama
CRITICAL CVE-2025-63389 9.8

ollama: Missing Auth allows unauthenticated access

Same package: ollama
CRITICAL CVE-2026-42249 9.8

Ollama: path traversal + unsigned update = silent RCE

Same package: ollama
CRITICAL CVE-2026-7482 9.1

Ollama: heap OOB read leaks API keys and chat data

Same package: ollama
Back to Threat Feed