Ray
Monthly
Unauthenticated attackers can read arbitrary files on systems running Ray versions before 2.8.1 by exploiting a path traversal flaw in the Dashboard's static file handler on port 8265. The vulnerability stems from insufficient input validation that allows directory traversal sequences to bypass access controls, and public exploit code is available. No patch has been released, leaving affected Ray deployments vulnerable to local information disclosure.
Ray dashboard versions 2.53.0 and below lack proper authentication on DELETE endpoints, allowing unauthenticated attackers to terminate Serve instances or remove jobs through DNS rebinding or same-network attacks. Public exploit code exists for this vulnerability, which impacts Ray deployments with dashboards exposed to network access. Administrators should upgrade to Ray 2.54.0 or higher to remediate the availability risk.
Unauthenticated attackers can read arbitrary files on systems running Ray versions before 2.8.1 by exploiting a path traversal flaw in the Dashboard's static file handler on port 8265. The vulnerability stems from insufficient input validation that allows directory traversal sequences to bypass access controls, and public exploit code is available. No patch has been released, leaving affected Ray deployments vulnerable to local information disclosure.
Ray dashboard versions 2.53.0 and below lack proper authentication on DELETE endpoints, allowing unauthenticated attackers to terminate Serve instances or remove jobs through DNS rebinding or same-network attacks. Public exploit code exists for this vulnerability, which impacts Ray deployments with dashboards exposed to network access. Administrators should upgrade to Ray 2.54.0 or higher to remediate the availability risk.