CyberSecurityBoard
Sponsor Register Login

Probllama: Ollama Remote Code Execution Vulnerability

Ollama is one of the most popular open-source projects for running AI Models, with over 70k stars on GitHub and hundreds of thousands of monthly pulls on Docker Hub.
Inspired by Docker, Ollama aims to simplify the process of packaging and deploying AI models.
Ollama users are encouraged to upgrade their Ollama installation to version 0.1.34 or newer.
Our research indicates that, as of June 10, there are a large number of Ollama instances running a vulnerable version that are exposed to the internet.
Over the past year, multiple remote code execution vulnerabilities were identified in inference servers, including TorchServe, Ray Anyscale, and Ollama.
Despite this, when scanning the internet for exposed Ollama servers, our scan revealed over 1,000 exposed instances hosting numerous AI models, including private models not listed in the Ollama public repository, highlighting a significant security gap.
To exploit this vulnerability, an attacker must send specially crafted HTTP requests to the Ollama API server.
Being one of the most popular open-source projects for running AI Models with over 70k stars on GitHub and hundreds of thousands of monthly pulls on Docker Hub, Ollama seemed to be the simplest way to self-host that model ????. Ollama Architecture.
Ollama consists of two main components: a client and a server.
The client is what the user interacts with, which could be, for example, a CLI. While experimenting with Ollama, our team found a critical security vulnerability in an Ollama server.
It is important to mention that Ollama does not support authentication out-of-the-box.
It is generally recommended to deploy Ollama behind a reverse-proxy to enforce authentication, if the user decides to expose its installation.
One of the endpoints,/api/pull, can be used to download a model from an Ollama registry.
Security teams should update their Ollama instances to the latest version to mitigate this vulnerability.
It is recommended not to expose Ollama to the internet unless it is protected by some sort of authentication mechanism, such a reverse-proxy.
We responsibly disclosed this vulnerability to Ollama's development team in May 2024.
Ollama promptly investigated and addressed the issue while keeping us updated.
May 5, 2024 - Ollama acknowledged the receipt of the report.
May 5, 2024 - Ollama notified Wiz Research that they committed a fix to GitHub.
Ollama committed a fix in about 4 hours after receiving our initial report, demonstrating an impressive response time and commitment to their product security.


This Cyber News was published on packetstormsecurity.com. Publication date: Wed, 26 Jun 2024 19:13:05 +0000


Cyber News related to Probllama: Ollama Remote Code Execution Vulnerability

Probllama: Ollama Remote Code Execution Vulnerability - Ollama is one of the most popular open-source projects for running AI Models, with over 70k stars on GitHub and hundreds of thousands of monthly pulls on Docker Hub. Inspired by Docker, Ollama aims to simplify the process of packaging and deploying ...
1 year ago Packetstormsecurity.com
CVE-2025-0312 - A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that, when uploaded and created on the Ollama server, can cause a crash due to an unchecked null pointer dereference. This can lead ...
10 months ago
CVE-2025-0315 - A vulnerability in ollama/ollama <=0.3.14 allows a malicious user to create a customized GGUF model file, upload it to the Ollama server, and create it. This can cause the server to allocate unlimited memory, leading to a Denial of Service (DoS) ...
10 months ago
CVE-2025-0317 - A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model file on the Ollama server. This can lead to a division by zero error in the ggufPadding function, causing the server to crash ...
10 months ago
1100 Ollama AI Servers Exposed Due to Misconfiguration - A recent cybersecurity incident has exposed over 1100 Ollama AI servers due to a critical misconfiguration. This exposure potentially allowed unauthorized access to sensitive AI data and models hosted on these servers. Ollama, a company specializing ...
5 months ago Cybersecuritynews.com
CVE-2025-15063 - Ollama MCP Server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ollama MCP Server. Authentication is not required to exploit this ...
56 years ago
CVE-2024-7773 - A vulnerability in ollama/ollama version 0.1.37 allows for remote code execution (RCE) due to improper input validation in the handling of zip files. The vulnerability, known as ZipSlip, occurs in the parseFromZipFile function in server/model.go. The ...
10 months ago
CVE-2025-0313 - A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a GGUF model that can cause a denial of service (DoS) attack. The vulnerability is due to improper validation of array index bounds in the GGUF model handling ...
10 months ago
CVE-2024-12886 - An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the `ollama` server crashing. The vulnerability is ...
10 months ago
CVE-2024-8063 - A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for `block_count` in the Modelfile. This can lead to a denial of service (DoS) condition when the server ...
10 months ago
CVE-2024-12055 - A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. When the server processes this malicious model, it crashes, leading to a Denial of Service ...
10 months ago
Ollama, Nvidia Flaws Expose AI Infrastructure to Risk - Recent vulnerabilities discovered in Ollama and Nvidia products have raised significant concerns about the security of AI infrastructure. These flaws could potentially allow attackers to exploit AI systems, leading to data breaches, unauthorized ...
3 months ago Darkreading.com CVE-2024-XXXX CVE-2024-YYYY
The Exploration of Static vs Dynamic Code Analysis - Two essential methodologies employed for this purpose are Static Code Analysis and Dynamic Code Analysis. Static Code Analysis involves the examination of source code without its execution. In this exploration of Static vs Dynamic Code Analysis, ...
2 years ago Feeds.dzone.com
Meta releases 'Code Llama 70B', an open-source behemoth to rival private AI development - Meta AI, the company that brought you Llama 2, the gargantuan language model that can generate anything from tweets to essays, has just released a new and improved version of its code generation model, Code Llama 70B. This updated model can write ...
2 years ago Venturebeat.com
CVE-2025-15514 - Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to ...
56 years ago
Dissecting GootLoader With Node.js - This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code. In our debugging endeavor for GootLoader files, we use a Windows host with Node.js JavaScript runtime and ...
1 year ago Unit42.paloaltonetworks.com
CVE-2024-28224 - Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource ...
1 year ago Tenable.com
CVE-2025-63389 - A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to ...
1 month ago
CVE-2024-9840 - A Denial of Service (DoS) vulnerability exists in open-webui/open-webui version 0.3.21. This vulnerability affects multiple endpoints, including `/ollama/models/upload`, `/audio/api/v1/transcriptions`, and `/rag/api/v1/doc`. The application processes ...
10 months ago
CVE-2025-66960 - An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata ...
56 years ago
CVE-2025-66959 - An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder ...
56 years ago
CVE-2025-1975 - A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. This is due to improper validation of array index access when ...
8 months ago
CVE-2024-39722 - An issue was discovered in Ollama before 0.1.46. It exposes which files exist on the server on which it is deployed via path traversal in the api/push route. ...
1 year ago
CVE-2024-45436 - extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory. ...
1 year ago
CVE-2025-29446 - open-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection. ...
9 months ago

Latest Cyber News


    Cyber Trends (last 7 days)


    Trending Cyber News (last 7 days)