High severity8.8NVD Advisory· Published May 31, 2024· Updated Jun 17, 2026
CVE-2024-37032
CVE-2024-37032
Description
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ollama/ollamaGo | < 0.1.34 | 0.1.34 |
Affected products
7- osv-coords6 versionspkg:apk/chainguard/ollamapkg:apk/chainguard/ollama-cpupkg:apk/wolfi/ollamapkg:apk/wolfi/ollama-cpupkg:golang/github.com/ollama/ollamapkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0.1.44-r0+ 5 more
- (no CPE)range: < 0.1.44-r0
- (no CPE)range: < 0.1.44-r0
- (no CPE)range: < 0.1.44-r0
- (no CPE)range: < 0.1.44-r0
- (no CPE)range: < 0.1.34
- (no CPE)range: < 0.0.20241213T205935-1.1
Patches
Vulnerability mechanics
References
8- www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-8hqg-whrw-pv92ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37032ghsaADVISORY
- github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.gonvdProductWEB
- github.com/ollama/ollama/commit/2a21363bb756a7341d3d577f098583865bd7603fghsaWEB
- github.com/ollama/ollama/compare/v0.1.33...v0.1.34nvdRelease NotesWEB
- github.com/ollama/ollama/pull/4175nvdIssue TrackingWEB
- pkg.go.dev/vuln/GO-2024-2901ghsaWEB
News mentions
0No linked articles in our index yet.