module

Ollama Model Registry Path Traversal RCE

Try Surface Command
Back to search
Disclosed
May 5, 2024
Created
Feb 25, 2026

Description

Ollama before 0.1.34 is vulnerable to a path traversal attack via the
model pull mechanism (CVE-2024-37032). When pulling a model, the digest
field in OCI manifests is not validated, allowing an attacker to inject
path traversal sequences to write arbitrary files on the server.

This module starts a rogue OCI registry that serves two models. The first
pull writes a malicious shared library and /etc/ld.so.preload via path
traversal (a sacrificial first layer absorbs the digest verification
failure so the remaining files persist). The second pull registers a valid
model so /api/chat can spawn the llama.cpp runner process, which triggers
the dynamic linker to load the malicious library via ld.so.preload. The
library constructor forks, cleans up ld.so.preload, and executes the
payload in the child process.

The default Ollama Docker image runs as root with the API bound to
0.0.0.0:11434, making this a direct unauthenticated RCE.

Authors

Sagi Tzadik [email protected]
Valentin Lobstein [email protected]

Platform

Linux

Architectures

x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/linux/http/ollama_rce_cve_2024_37032
    msf exploit(ollama_rce_cve_2024_37032) > show targets
        ...targets...
    msf exploit(ollama_rce_cve_2024_37032) > set TARGET < target-id >
    msf exploit(ollama_rce_cve_2024_37032) > show options
        ...show and set options...
    msf exploit(ollama_rce_cve_2024_37032) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today