Ollama AI Framework Vulnerabilities Expose Crypto Infrastructure to Remote Attacks

The open-source artificial intelligence infrastructure landscape faced a sobering reality check on May 21, 2024, as researchers from Oligo Security disclosed a batch of six critical vulnerabilities in Ollama, one of the most popular frameworks for running large language models locally and in enterprise environments. With over 64,000 stars on GitHub at the time of discovery — a figure that would surge to 94,000 within three months — Ollama has become a cornerstone tool for organizations deploying AI models. But its rapid adoption has outpaced its security posture, and the consequences could ripple across the cryptocurrency ecosystem, where AI-powered trading bots, smart contract auditors, and on-chain analytics platforms increasingly depend on local inference infrastructure.

The Exploit Mechanics

Oligo Security uncovered a troubling array of attack vectors, four of which were confirmed by Ollama maintainers on May 21 and assigned CVE identifiers. The most severe, CVE-2024-39720, involves an out-of-bounds read vulnerability in the /api/create endpoint. An attacker needs only two HTTP requests to upload a malformed GGUF file — containing as few as four bytes with the GGUF magic header — which triggers a segmentation fault and crashes the entire application. The attack requires no authentication and no user interaction.

CVE-2024-39721 enables denial-of-service through the same CreateModel API route, but via an infinite loop triggered by a single HTTP request. A remote attacker can render an Ollama deployment completely unresponsive, disrupting any AI-dependent services running downstream.

Two file disclosure vulnerabilities — CVE-2024-39722 (path traversal via /api/push) and CVE-2024-39719 (file existence enumeration via /api/create) — give attackers a reconnaissance foothold. By determining which files exist on the server, threat actors can map the filesystem and stage more sophisticated attacks.

Perhaps most concerning for crypto projects are the two “shadow vulnerabilities” that Ollama maintainers disputed but Oligo stands behind. The first, a model poisoning flaw (CWE-668), allows any client to pull a model from an unverified HTTP source through the /api/pull route. The second, model theft (CWE-285), lets anyone push proprietary models to an external server via /api/push — again with zero authentication. For a crypto trading firm running custom fine-tuned models for market prediction, either of these could be catastrophic.

Affected Systems

All versions of Ollama up to and including 0.1.45 are vulnerable to at least one of these flaws. The patched version, 0.1.47, addressed the four confirmed CVEs but left the model poisoning and model theft issues unresolved. Wiz Research separately discovered CVE-2024-37032, dubbed “Probllama,” a remote code execution vulnerability patched in version 0.1.34 but still actively exploited on thousands of exposed servers.

Internet scans conducted by Wiz revealed over 1,000 Ollama instances running vulnerable versions and exposed directly to the internet. Many of these were hosting private, proprietary models not listed in the Ollama public repository — a particularly alarming finding for organizations in the financial and cryptocurrency sectors.

Docker deployments of Ollama are especially at risk because the API server is publicly exposed by default, unlike the standard Linux installation which binds to localhost.

The Mitigation Strategy

Organizations running Ollama should immediately upgrade to version 0.1.47 or later. For Docker deployments, the API must never be exposed without a reverse proxy that enforces authentication. Network segmentation is essential: AI inference servers should sit in an isolated VLAN with strict firewall rules, accessible only to authorized applications.

Crypto projects integrating Ollama for smart contract analysis or trading signal generation should implement model integrity verification. Cryptographic hashes of model files should be stored on-chain or in a tamper-evident log, and every inference request should validate the model checksum before execution.

Regular vulnerability scanning of AI infrastructure should be treated with the same urgency as traditional web application security testing. The rapid pace of CVE discoveries in inference frameworks like Ollama, TorchServe, and Ray Anyscale suggests this will be an ongoing battle.

Lessons Learned

The Ollama vulnerability disclosure underscores a broader pattern in AI infrastructure: security is being sidelined in favor of rapid feature development and deployment. Organizations are adopting AI tools at breakneck speed, often without considering the attack surface they introduce. In the crypto space, where financial assets are directly at stake, this negligence can translate to real monetary losses.

The lack of built-in authentication in Ollama — a design choice mirrored in other popular AI frameworks — reflects the assumption that these tools run in trusted environments. In practice, enterprise deployments often expose these services to broader networks than intended.

User Action Required

Bitcoin trades around $70,136 and Ethereum at $3,789 as the market digests the implications of SEC signaling potential approval of spot Ethereum ETFs. In this environment of surging crypto valuations and institutional interest, the security of AI infrastructure supporting trading and analysis becomes even more critical. If your organization uses Ollama or any local AI inference framework, patch immediately, audit your network exposure, and implement authentication layers. The next exploit may not be a disclosure — it may be an attack.

This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making security or investment decisions.