AI Threat Alert
CVE-2024-45436: Ollama: ZIP path traversal exposes host filesystem
HIGH PoC AVAILABLE CISA: TRACK*Ollama before 0.1.47 allows unauthenticated remote attackers to read arbitrary host files by serving a crafted model archive — no credentials, no user interaction required. Any Ollama instance reachable from untrusted networks is exposed. Patch to 0.1.47+ immediately and enforce network isolation on port 11434.
What is the risk?
High risk. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N means the exploitation bar is near-trivial for any attacker with network access. Ollama is widely deployed in AI labs, dev environments, and increasingly in production inference setups — often with minimal firewall controls. The combination of a large deployment footprint, zero-auth requirement, and ease of crafting malicious ZIP archives makes this a high-priority patch target.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Ollama | pip | — | No patch |
Do you use Ollama? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch immediately: upgrade Ollama to v0.1.47 or later (patch in PR #5314).
-
Network isolation: restrict Ollama API port (default 11434) to localhost or trusted subnets — never expose publicly.
-
Least privilege: run Ollama under a dedicated low-privilege service account with a restricted filesystem scope.
-
Model provenance: only pull models from verified, trusted registries; audit and pin model sources in automated pipelines.
-
Detection: monitor for unusual file access patterns outside Ollama's model storage directory; alert on model pulls from unknown registries.
-
Review exposure: audit whether Ollama endpoints are internet-facing in cloud deployments.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-45436?
Ollama before 0.1.47 allows unauthenticated remote attackers to read arbitrary host files by serving a crafted model archive — no credentials, no user interaction required. Any Ollama instance reachable from untrusted networks is exposed. Patch to 0.1.47+ immediately and enforce network isolation on port 11434.
Is CVE-2024-45436 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2024-45436, increasing the risk of exploitation.
How to fix CVE-2024-45436?
1. Patch immediately: upgrade Ollama to v0.1.47 or later (patch in PR #5314). 2. Network isolation: restrict Ollama API port (default 11434) to localhost or trusted subnets — never expose publicly. 3. Least privilege: run Ollama under a dedicated low-privilege service account with a restricted filesystem scope. 4. Model provenance: only pull models from verified, trusted registries; audit and pin model sources in automated pipelines. 5. Detection: monitor for unusual file access patterns outside Ollama's model storage directory; alert on model pulls from unknown registries. 6. Review exposure: audit whether Ollama endpoints are internet-facing in cloud deployments.
What systems are affected by CVE-2024-45436?
This vulnerability affects the following AI/ML architecture patterns: local LLM inference, self-hosted model serving, AI agent backends, MLOps / CI-CD model deployment pipelines, multi-tenant AI development environments.
What is the CVSS score for CVE-2024-45436?
CVE-2024-45436 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 2.58%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0025 Exfiltration via Cyber Means AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials Compliance Controls Affected
What are the technical details?
Original Advisory
extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.
Exploitation Scenario
An adversary crafts a malicious Ollama model archive with ZIP entries containing path traversal sequences (e.g., ../../../root/.ssh/id_rsa or ../../../etc/environment). The attacker either hosts this on a rogue Ollama-compatible registry or distributes the model file via a supply chain channel (GitHub, HuggingFace mirror, internal model store). When an operator runs 'ollama pull' or an automated MLOps pipeline fetches the model, Ollama's extractFromZipFile processes the archive without sanitizing entry paths, exposing sensitive host files to the attacker. In CI/CD environments that auto-pull models on commit, this is fully automated — zero operator interaction required post-delivery.
Weaknesses (CWE)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Primary
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
- github.com/ollama/ollama/compare/v0.1.46...v0.1.47 Patch
- github.com/ollama/ollama/pull/5314 Patch
- github.com/ARPSyndicate/cve-scores Exploit
- github.com/XiaomingX/cve-2024-45436-exp Exploit
- github.com/XiaomingX/nice-juejin-article Exploit
- github.com/XiaomingX/weekly Exploit
- github.com/badboy0/Ollama_Exploit_Tool Exploit
- github.com/dansarmiento/ollama_sql_runner Exploit
- github.com/fkie-cad/nvd-json-data-feeds Exploit
- github.com/nomi-sec/PoC-in-GitHub Exploit
- github.com/pankass/CVE-2024-37032_CVE-2024-45436 Exploit
- github.com/pankass/CVE-2024-45436 Exploit
- github.com/plzheheplztrying/cve_monitor Exploit
- github.com/srcx404/CVE-2024-45436 Exploit
- github.com/wowtalon/LLM-Security Exploit
Timeline
Related Vulnerabilities
CVE-2026-46339 10.0 9router: unauthenticated RCE exposes LLM API keys
Same package: ollama CVE-2026-42249 9.8 Ollama: path traversal + unsigned update = silent RCE
Same package: ollama CVE-2025-63389 9.8 ollama: Missing Auth allows unauthenticated access
Same package: ollama CVE-2026-42248 9.8 Ollama: silent auto-update bypasses signature check on Windows
Same package: ollama CVE-2026-7482 9.1 Ollama: heap OOB read leaks API keys and chat data
Same package: ollama