CVE-2024-45436: extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent direct
Summary
Ollama before version 0.1.47 has a vulnerability in its extractFromZipFile function where it can extract files from a ZIP archive outside of the intended parent directory, a weakness called path traversal (CWE-22, where an attacker manipulates file paths to access directories they shouldn't). This could allow an attacker to write files to unintended locations on a system when processing a specially crafted ZIP file.
Solution / Mitigation
Update Ollama to version 0.1.47 or later. The fix is available in the comparison between v0.1.46 and v0.1.47 (https://github.com/ollama/ollama/compare/v0.1.46...v0.1.47) and was implemented in pull request #5314 (https://github.com/ollama/ollama/pull/5314).
Vulnerability Details
7.5(high)
EPSS: 29.1%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-45436
First tracked: February 15, 2026 at 08:44 PM
Classified by LLM (prompt v3) · confidence: 92%