CVE-2024-45436 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Ollama before 0.1.47 allows unauthenticated remote attackers to read arbitrary host files by serving a crafted model archive — no credentials, no user interaction required. Any Ollama instance reachable from untrusted networks is exposed. Patch to 0.1.47+ immediately and enforce network isolation on port 11434.

Risk Assessment

High risk. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N means the exploitation bar is near-trivial for any attacker with network access. Ollama is widely deployed in AI labs, dev environments, and increasingly in production inference setups — often with minimal firewall controls. The combination of a large deployment footprint, zero-auth requirement, and ease of crafting malicious ZIP archives makes this a high-priority patch target.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ollama	pip	—	No patch
171.1K 1.4K dependents Pushed today 4% patched ~0d to patch Full package profile →

Do you use ollama? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

29.1%

chance of exploitation in 30 days

Higher than 97% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 29%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

Patch immediately: upgrade Ollama to v0.1.47 or later (patch in PR #5314).
Network isolation: restrict Ollama API port (default 11434) to localhost or trusted subnets — never expose publicly.
Least privilege: run Ollama under a dedicated low-privilege service account with a restricted filesystem scope.
Model provenance: only pull models from verified, trusted registries; audit and pin model sources in automated pipelines.
Detection: monitor for unusual file access patterns outside Ollama's model storage directory; alert on model pulls from unknown registries.
Review exposure: audit whether Ollama endpoints are internet-facing in cloud deployments.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Data Extraction Framework Model Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system lifecycle security

NIST AI RMF

MANAGE-2.2 - Mechanisms for AI risk response

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-45436?

Ollama before 0.1.47 allows unauthenticated remote attackers to read arbitrary host files by serving a crafted model archive — no credentials, no user interaction required. Any Ollama instance reachable from untrusted networks is exposed. Patch to 0.1.47+ immediately and enforce network isolation on port 11434.

Is CVE-2024-45436 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-45436, increasing the risk of exploitation.

How to fix CVE-2024-45436?

1. Patch immediately: upgrade Ollama to v0.1.47 or later (patch in PR #5314). 2. Network isolation: restrict Ollama API port (default 11434) to localhost or trusted subnets — never expose publicly. 3. Least privilege: run Ollama under a dedicated low-privilege service account with a restricted filesystem scope. 4. Model provenance: only pull models from verified, trusted registries; audit and pin model sources in automated pipelines. 5. Detection: monitor for unusual file access patterns outside Ollama's model storage directory; alert on model pulls from unknown registries. 6. Review exposure: audit whether Ollama endpoints are internet-facing in cloud deployments.

What systems are affected by CVE-2024-45436?

This vulnerability affects the following AI/ML architecture patterns: local LLM inference, self-hosted model serving, AI agent backends, MLOps / CI-CD model deployment pipelines, multi-tenant AI development environments.

What is the CVSS score for CVE-2024-45436?

CVE-2024-45436 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 29.08%.

Technical Details

NVD Description

extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.

Exploitation Scenario

An adversary crafts a malicious Ollama model archive with ZIP entries containing path traversal sequences (e.g., ../../../root/.ssh/id_rsa or ../../../etc/environment). The attacker either hosts this on a rogue Ollama-compatible registry or distributes the model file via a supply chain channel (GitHub, HuggingFace mirror, internal model store). When an operator runs 'ollama pull' or an automated MLOps pipeline fetches the model, Ollama's extractFromZipFile processes the archive without sanitizing entry paths, exposing sensitive host files to the attacker. In CI/CD environments that auto-pull models on commit, this is fully automated — zero operator interaction required post-delivery.