Ollama Server-Side Request Forgery Vulnerability in Model Pull API

A server-side request forgery (SSRF) vulnerability has been identified in Ollama versions prior to 18.1. This issue arises in the Model Pull API, specifically within the file server/download.go. The vulnerability allows remote attackers to manipulate requests that the server makes to internal services, potentially leading to unauthorized access to sensitive data or services.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can read HTTP responses from internal services on the host running Ollama. This could include access to databases, admin panels, key-value stores, cloud metadata endpoints, and internal APIs.

Reproduction

To reproduce this vulnerability, deploy Ollama in a Docker container that binds to an external IP address and runs as root. Once the application is running, use the Model Pull API to pull a model from a malicious OCI registry. The registry can respond with a redirect to an internal URL, such as a database information endpoint or a cloud metadata service. Ollama will follow this redirect, fetch the internal resource, and write the response to a blob file on disk. The captured data can then be retrieved by pushing the model back to an attacker-controlled registry.