ollama - 💡(How to fix) Fix Template engine parses untrusted model templates — Go text/template with json.Marshal in funcs

CWE-94: Template Injection via Untrusted Model Files — Go text/template Method Calls

Severity: MEDIUM (CVSS 5.3)

Location

server/images.go — GetModel() reads template from model layer:

case "application/vnd.ollama.image.template":
    bts, _ := os.ReadFile(filename)
    m.Template, _ = template.Parse(string(bts))

template/template.go — funcs map includes:

var funcs = template.FuncMap{
    "json": func(v any) string { b, _ := json.Marshal(v); return string(b) },
}

Description

When a user runs ollama pull malicious-model from an untrusted registry, the model's template is parsed by Go's text/template engine and executed during inference. The template funcs map includes json (which calls json.Marshal) and the template has access to all fields on the Values struct including nested Messages, Tools, and their properties.

While Go's text/template is not as powerful as html/template for code execution, the json.Marshal call on arbitrary input could be used to:

• Trigger panics in the server by passing non-serializable objects
• Extract internal state via template field traversal
• Generate excessive output via recursive template structures

The deleteNode function also walks and mutates the template parse tree at runtime, which could interact unexpectedly with malicious template structures.

Impact

A malicious model from an untrusted registry (or a model shared via ollama push to a private registry) could include a crafted template that causes unexpected behavior during inference.

Remediation

1. Validate templates at pull time using a safe parser
2. Document that users should only pull models from trusted registries
3. Consider sandboxing template execution (e.g., limit output size, restrict available functions)
4. Add a Content-Security-Policy-style template policy for allowed functions