CVE-2023-48022
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
Analysis
Anyscale Ray 2.6.3 and 2.8.0 expose an unauthenticated job submission API that allows remote code execution by design. The vendor considers this expected behavior for a compute framework intended for trusted network environments, but internet-exposed Ray clusters are actively exploited by cryptominers and data exfiltration campaigns.
Technical Context
Ray is a distributed computing framework for ML/AI workloads. The dashboard (port 8265) and job submission API intentionally allow unauthenticated code execution as this is the framework's core functionality. The vendor explicitly states Ray is not designed for untrusted network exposure. However, cloud misconfigurations frequently expose Ray clusters to the internet, and the API accepts arbitrary Python code execution.
Affected Products
['Anyscale Ray 2.6.3', 'Anyscale Ray 2.8.0', 'Ray clusters on AWS/GCP/Azure without network restrictions']
Remediation
Never expose Ray clusters to the internet. Place Ray behind a VPN or private network with strict access controls. Enable Ray's authentication features if available in newer versions. Monitor Ray job submission logs for unexpected workloads. Audit cloud security groups for port 8265 exposure.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today