Ollama Heap Out-of-Bounds Read Vulnerability in GGUF Model Loader Allowing Data Exfiltration

A heap out-of-bounds read vulnerability has been identified in Ollama versions prior to 0.17.1, specifically within the GGUF model loader. The vulnerability arises in the /api/create endpoint, which accepts user-supplied GGUF files. Attackers can exploit this by crafting files that include tensor offsets and sizes exceeding the actual file length. During the quantization process, the server inadvertently reads beyond the allocated heap buffer. This out-of-bounds read can leak sensitive memory contents, such as environment variables, API keys, system prompts, and conversation data from other users. The exfiltrated data can be uploaded as part of a model artifact through the /api/push endpoint to an attacker-controlled registry. Notably, the /api/create and /api/push endpoints do not require authentication in the default Ollama distribution. While default deployments are bound to 127.0.0.1, the widely used OLLAMA_HOST=0.0.0.0 configuration exposes these endpoints to the public internet.

Impact

Exploitation of this vulnerability leads to a heap out-of-bounds read, causing a memory leak that can be exploited to exfiltrate sensitive information such as environment variables, API keys, and private conversation data from other users.

Reproduction

To reproduce this vulnerability, upload a GGUF file through the /api/create endpoint that contains tensor offsets and sizes exceeding the file's actual length. This can be done by creating a GGUF file that intentionally misdeclares tensor dimensions. Once the file is processed, the leaked memory contents can be accessed by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry.

Remediation

Users are advised to update Ollama to version 0.17.1 or later, where this vulnerability has been addressed.