Ollama Zip Slip Path Traversal β CVE-2024-45436 PoC
WARNING: MALICIOUS FILE β SECURITY RESEARCH ONLY
Vulnerability
File: server/model.go
Function: extractFromZipFile()
CVE: CVE-2024-45436
Description
Ollama < 0.1.47 does not validate extracted file paths stay within the models
directory. A ZIP with path traversal filenames like ../../../../etc/ld.so.preload
writes files outside the intended directory.
// Vulnerable: no path prefix validation
for _, f := range zip.File {
path := filepath.Join(modelsDir, f.Name)
// f.Name = "../../../../etc/ld.so.preload" β writes outside models dir
}
Impact
- Severity: Critical (CVSS 9.1)
- Attack Vector: Serve malicious model ZIP β Ollama extracts β arbitrary file write
- Result: RCE via /etc/ld.so.preload overwrite
- Fix: Ollama 0.1.47+ adds prefix validation
Reproduction
# Malicious ZIP contains: ../../../../etc/ld.so.preload
# When Ollama extracts it, file is written outside models dir
References
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support