Probllama is a path traversal vulnerability in Ollama before version 0.1.34. When Ollama pulls a model from a private or otherwise untrusted registry, it processes manifest digest values without enforcing the expected sha256 digest format of 64 hexadecimal characters. Because the digest is used to derive a model blob path, a crafted digest containing traversal elements or malformed length can cause path resolution outside the intended model storage directory. This enables arbitrary file write or overwrite on the host filesystem. Reported exploitation paths show that the arbitrary file write primitive can be extended to arbitrary file read in related model-handling flows and, in common deployments such as containers running Ollama as root, can be escalated to remote code execution by overwriting files that influence dynamic library loading or process startup behavior.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository is a working PoC exploit for CVE-2024-37032 targeting Ollama on Linux. It is not a scanner or detector; it combines a local connector script, an attacker-controlled fake registry server, and a preload-based privilege-escalation payload. Structure and purpose: - server.py starts a FastAPI/Uvicorn rogue registry on 0.0.0.0:8000. - connector.py talks to the target Ollama API at 127.0.0.1:11434 and issues POST requests to /api/pull and /api/push with a crafted model name pointing to the attacker registry (10.10.16.160/rogue/sh4dow). - rogue_server/ contains the fake registry implementation: - application.py wires routers and services. - config.py defines attacker host, traversal strings, target file (/etc/ld.so.preload), and the path to the malicious shared object. - manifests.py builds malicious OCI/Docker-style manifest data whose digest fields contain path traversal sequences aimed at sensitive target-side paths. - routes/pull.py serves crafted manifest and blob responses, including responses for /etc/ld.so.preload, the target-side Ollama manifest path, and /tmp/notfoundfile. - routes/push.py emulates upload endpoints and returns a forged upload Location header. - uploads.py constructs the upload callback URL with a _state parameter. - preload_privs_demo.c is the payload source. When compiled as a shared object and loaded through ld.so.preload, its constructor calls setuid(0) and setgid(0). Main exploit capability: The exploit abuses Ollama registry pull/push behavior with crafted manifest/blob paths containing directory traversal sequences. The rogue server attempts to cause the target to treat attacker-controlled content as file-backed blobs, specifically to update /etc/ld.so.preload with the path to a malicious shared object already placed on the target. Once that library is loaded by a privileged process, the constructor elevates privileges to root. Operational flow: 1. Operator compiles preload_privs_demo.c into libpreload_privs_demo.so. 2. Operator places the .so on the target and sets exploit_path in config.py to its absolute path. 3. Operator runs the rogue FastAPI registry server. 4. Operator runs connector.py on the target or somewhere with access to the target Ollama API. 5. connector.py triggers Ollama pull/push operations against the rogue registry. 6. The rogue registry serves crafted manifests and fake blob/upload endpoints designed to manipulate target-side file paths. 7. If successful, /etc/ld.so.preload references the malicious .so, enabling root privilege transition. Notable observables: - Target API: 127.0.0.1:11434, endpoints /api/pull and /api/push. - Rogue registry namespace: /v2/rogue/sh4dow/... - Sensitive file target: /etc/ld.so.preload. - Target-side manifest path: /root/.ollama/models/manifests/<HOST>/rogue/sh4dow/latest. - Default attacker host hardcoded in code/config: 10.10.16.160. Overall, this is an operational PoC with a hardcoded/basic payload rather than a generalized framework module.
This repository provides an operational exploit for CVE-2024-37032 and CVE-2024-45436, targeting Ollama instances running on Linux with versions prior to 0.1.47. The exploit is implemented in Go (main.go) and automates the process of achieving remote code execution via the Ollama API. The attack works by generating a malicious shared object (hook.so) in C, which executes an attacker-supplied shell command (commonly a reverse shell). This shared object is zipped with a payload that overwrites /etc/ld.so.preload, causing the system to load the attacker's code. The exploit uploads this zip file to the target via the /api/blobs endpoint, creates a model referencing the malicious blob, and triggers code execution through the /api/embeddings endpoint. The README provides usage instructions, including an example reverse shell command. The repository is structured with a single main exploit file (main.go), a README, and Go module files. The exploit requires the attacker to specify the target Ollama API URL and the command to execute, and is effective against vulnerable Ollama installations accessible over HTTP.
This repository provides a proof-of-concept (PoC) exploit for CVE-2024-37032, a path traversal vulnerability in Ollama (tested on version 0.1.33). The exploit consists of two main components: a rogue registry server implemented in Python using FastAPI (rogue_registry_server/server.py), and a PoC script (poc.py) that triggers the vulnerability by instructing a vulnerable Ollama instance to interact with the rogue server. The rogue server serves crafted Docker registry API responses containing malicious path traversal payloads in manifest and layer digests, targeting sensitive files such as /etc/passwd, /etc/shadow, and files within the Ollama data directory. The PoC demonstrates the ability to read arbitrary files from the target system by exploiting the way Ollama handles registry responses. The repository is structured with clear separation between the exploit server and the trigger script, and includes documentation and requirements for easy setup. No detection-only scripts are present; the code is a functional exploit.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A more severe Ollama vulnerability, also called Probllama, involving arbitrary file write/overwrite via an unvalidated digest field in a pulled model manifest, potentially escalating to remote code execution.
A vulnerability in the Ollama AI platform mentioned only as an example of another CWE-1287 issue for comparison.
A path traversal vulnerability in Ollama that leads to remote code execution, referenced as a Metasploit module PR.
A path traversal vulnerability in Ollama’s model pull mechanism that can be leveraged to write a malicious shared object and achieve unauthenticated root remote code execution.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.