This blog post is part of an ongoing series exploring how AI related tools aimed at developers can be exploited to compromise their machines. As these tools increasingly integrate deep system access, they also expand the attack surface available to threat actors. In our first post, we outlined a remote code execution vulnerability in Cursor. With this second entry, we turn our attention to Ollama. What is Ollama? Ollama is an open-source tool for running large language models locally, with over 143k GitHub stars. It topped Runa Capital’s 2024 ROSS Index as the hottest open-source startup. It offers an easy‑to‑use CLI and access to a library of popular models like Llama, Deepseek, or Mistral. By keeping everything on your machine, it gives you full control over your data and enhances privacy. The Bug As mentioned before, Ollama is open-source and therefore I was able to review its code. Like many cross-platform applications it uses Electron, which is a way to write desktop applications using web technologies like JavaScript, HTML, and CSS. I started by looking at the macos/src/app.tsx which is what gets rendered when you install the Ollama application. It shows an install button that, when clicked, attempts to create a symlink at the /usr/local/bin/ollama which requires administrator privileges. Here is the code responsible for it: The interesting part of this code is the "ollama" variable, which is inserted into the shell command. This introduces a command injection…Read More