CVE-2024-39721

Name of the Vulnerable Software and Affected Versions: Ollama versions prior to 0.1.34

Description: The issue is related to an uncontrolled consumption of resources in Ollama. It is caused by the CreateModelHandler function using os.Open to read a file until completion, where the req.Path parameter is user-controlled and can be set to /dev/random, leading to a blocking condition that causes the goroutine to run infinitely, even after the HTTP request is aborted by the client. This can allow a remote attacker to cause a denial of service.

Recommendations: For Ollama versions prior to 0.1.34, update to version 0.1.34 to patch this flaw. As a temporary workaround, consider restricting access to the CreateModelHandler function or avoiding the use of the req.Path parameter with /dev/random input to minimize the risk of exploitation.