CVE-2024-39721: 
Wolfi vulnerability analysis and mitigation

An issue was discovered in Ollama before version 0.1.34 that could enable denial-of-service (DoS) attacks. The vulnerability, identified as CVE-2024-39721, exists in the CreateModelHandler function where the req.Path parameter is user-controlled and can be manipulated to cause infinite loops, leading to resource exhaustion (Oligo Blog, NVD).

The vulnerability stems from the CreateModelHandler function's use of os.Open to read a file until completion. When the req.Path parameter is set to /dev/random, which is blocking, it causes the goroutine to run infinitely, even after the HTTP request is aborted by the client. The vulnerability has received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and is classified under CWE-404 (Improper Resource Shutdown or Release) (NVD).

When exploited, this vulnerability can cause extensive resource consumption through a never-ending loop. Repeated calls to the affected endpoint can rapidly increase CPU usage on the impacted machine to 80-90%, ultimately leading to denial of service. The attack can be initiated with a single HTTP request (Oligo Blog).

The vulnerability has been patched in Ollama version 0.1.34. Organizations using affected versions should upgrade to version 0.1.34 or later to mitigate this security risk (Oligo Blog).

According to research, approximately 10,000 unique internet-facing IPs were running Ollama at the time of discovery, with one in four servers being vulnerable to this and other discovered vulnerabilities. The security community has emphasized the importance of proper configuration and timely updates, particularly given Ollama's increasing adoption in enterprise environments (Oligo Blog).