CVE-2024-28224
Published: 08 April 2024
Summary
CVE-2024-28224 is a medium-severity Origin Validation Error (CWE-346) vulnerability in Ollama Ollama. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models; in the Protocol-Specific Risks risk domain; MITRE ATLAS techniques in scope: AML.T0040.000, Direct (AML.T0051.000), Financial Harm (AML.T0048.000).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1103
Vulnerability details
Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).
- CWE(s)
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Ollama provides a REST API for running and interacting with large language models locally, and the vulnerability exposes this API via DNS rebinding.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DNS rebinding vulnerability (CVE-2024-28224) enables remote unauthorized API access to Ollama, facilitating remote service exploitation (T1210), model file deletion (T1070.004), and resource exhaustion DoS via LLM inference (T1499.003).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.
Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.
Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.
Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.
Mandates origin validation so that only legitimate endpoints can continue the authenticated session.