CVE-2025-44779

Vulnerability

Overview

CVE-2025-44779 affects Ollama versions <= 0.1.33. The vulnerability stems from an incorrect access control flaw in the /api/pull endpoint. When pulling a model, if a file already exists at the path where a digest is to be saved, the software treats it as having a mismatched digest value and deletes that file without proper authorization checks [2]. This allows an attacker to delete arbitrary files on the host system by sending a specially crafted packet to the endpoint.

Exploitation

Vector

To exploit this vulnerability, an attacker must be able to reach the Ollama HTTP API, typically listening on localhost:11434 by default, but potentially exposed to the network. The attacker crafts a POST request to /api/pull with parameters that force the server to check for a file at a chosen path. By providing a malicious manifest or digest reference, the server will attempt to save the digest and, upon finding a pre-existing file, delete it assuming the digest does not match [2]. The attack can be staged from a custom private registry server, as detailed in the advisory, making remote exploitation possible if the API is accessible [2].

Impact

Successful exploitation results in arbitrary file deletion. An attacker could delete critical system files, configuration files, or model data, leading to denial of service, data loss, or potential privilege escalation if deleted files affect security mechanisms. The vulnerability does not require authentication to the Ollama service [2].

Mitigation

The vulnerability has been patched in Ollama version 0.1.34 and later. Users are strongly advised to upgrade immediately. There is no known workaround; restricting network access to the Ollama API can reduce risk but does not fully mitigate the flaw [2]. This CVE is not currently listed in CISA's Known Exploited Vulnerabilities catalog.