AI Threat Alert AI Threat Alert

CVE-2023-48022: Ray: unauthenticated RCE via job submission API

GHSA-6wgj-66m2-xxp2 CRITICAL ACTIVELY EXPLOITED PoC AVAILABLE NUCLEI TEMPLATE CISA: ATTEND
Published November 28, 2023
CISO Take

Any Ray cluster reachable outside a strictly controlled network is fully compromised — no credentials required. EPSS of 91.8% means active exploitation is near-certain. There is no patch; the vendor considers this a deployment problem, not a bug. Block port 8265 immediately, audit all Ray deployments, and treat any exposed cluster as already compromised.

Risk Assessment

Critical. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means zero-friction exploitation from the internet. EPSS 0.917 places this in the top tier of actively exploited vulnerabilities. The vendor's 'working as designed' position eliminates any patch timeline — the full risk burden falls on operators indefinitely. ML teams routinely expose Ray dashboards for operational convenience, and cloud-hosted Ray clusters with permissive security groups are a common real-world misconfiguration. No compensating controls exist at the application layer.

Affected Systems

Package Ecosystem Vulnerable Range Patched
ray pip <= 2.49.2 No patch
42.5K OpenSSF 5.8 847 dependents Pushed today 78% patched ~186d to patch Full package profile →

Do you use ray? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
92.2%
chance of exploitation in 30 days
Higher than 100% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Actively Exploited
Sophistication
Trivial
Exploitation Confidence
high
CISA KEV (active exploitation confirmed)
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 92%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

8 steps

  1. Immediately identify all Ray deployments: scan for port 8265 (dashboard/job API) and 10001 (GCS) exposed outside network controls.

  2. Block these ports at firewall/security group level with no exceptions — this is the only effective mitigation.

  3. If external access is operationally required, deploy an authenticating reverse proxy (nginx with OAuth2 proxy or mTLS) in front of the Ray dashboard.

  4. Use Anyscale's official verification tooling (anyscale.com blog post) to confirm exposure status.

  5. Audit Ray cluster IAM roles and service accounts — assume any previously exposed cluster is compromised, rotate all credentials.

  6. Enable audit logging on job submissions to detect retroactive unauthorized access.

  7. Implement network segmentation for all ML infrastructure; Ray clusters should never share network segments with production systems or internet-facing services.

  8. No upstream patch exists or is planned; all risk management is operational.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Framework Training Data Inference AML.T0006 AML.T0025 AML.T0035 AML.T0049 AML.T0050 AML.T0072

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
Annex A.6.2 - AI System Impact Assessment Clause 6.1 - Actions to Address Risks and Opportunities
NIST AI RMF
MANAGE 2.2 - Risk Treatment and Response Plans MAP 5.1 - Likelihood and Magnitude of Impacts

Frequently Asked Questions

What is CVE-2023-48022?

Any Ray cluster reachable outside a strictly controlled network is fully compromised — no credentials required. EPSS of 91.8% means active exploitation is near-certain. There is no patch; the vendor considers this a deployment problem, not a bug. Block port 8265 immediately, audit all Ray deployments, and treat any exposed cluster as already compromised.

Is CVE-2023-48022 actively exploited?

Yes, CVE-2023-48022 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2023-48022?

1. Immediately identify all Ray deployments: scan for port 8265 (dashboard/job API) and 10001 (GCS) exposed outside network controls. 2. Block these ports at firewall/security group level with no exceptions — this is the only effective mitigation. 3. If external access is operationally required, deploy an authenticating reverse proxy (nginx with OAuth2 proxy or mTLS) in front of the Ray dashboard. 4. Use Anyscale's official verification tooling (anyscale.com blog post) to confirm exposure status. 5. Audit Ray cluster IAM roles and service accounts — assume any previously exposed cluster is compromised, rotate all credentials. 6. Enable audit logging on job submissions to detect retroactive unauthorized access. 7. Implement network segmentation for all ML infrastructure; Ray clusters should never share network segments with production systems or internet-facing services. 8. No upstream patch exists or is planned; all risk management is operational.

What systems are affected by CVE-2023-48022?

This vulnerability affects the following AI/ML architecture patterns: distributed training pipelines, model serving infrastructure, hyperparameter tuning clusters, ML platform infrastructure, data processing pipelines, reinforcement learning environments.

What is the CVSS score for CVE-2023-48022?

CVE-2023-48022 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 92.19%.

Technical Details

NVD Description

Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.

Exploitation Scenario

Attacker performs internet-wide scan for port 8265 (readily available via Shodan/Censys). On finding an exposed Ray dashboard, they POST a crafted job to /api/jobs/ with a malicious Python entrypoint — a reverse shell, credential harvester, or model exfiltration script. Ray executes the job across all cluster workers with no authentication check, granting immediate RCE. In a typical ML training environment, the attacker harvests AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from worker environment variables within seconds, then pivots to S3 buckets containing proprietary training data and model artifacts. Alternatively, they inject a data poisoning payload into the active training job by modifying input data mid-run, compromising model integrity without triggering obvious alerts. The MITRE ATLAS case study AML.CS0023 documents this exact attack pattern in the wild.

Weaknesses (CWE)

CWE-829 Inclusion of Functionality from Untrusted Control Sphere Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
November 28, 2023
Last Modified
December 20, 2025
First Seen
March 24, 2026

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2023/CVE-2023-48022.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2023-6019 9.8

Ray: unauthenticated RCE via dashboard command injection

Same package: ray
CRITICAL CVE-2023-6021 9.3

Ray: LFI allows unauthenticated file read

Same package: ray
CRITICAL CVE-2023-6020 9.3

Ray: unauthenticated LFI exposes entire filesystem

Same package: ray
MEDIUM CVE-2025-1979 6.4

Ray: Redis password exposed via plaintext logging

Same package: ray
MEDIUM CVE-2026-27482 5.9

ray: Missing Auth allows unauthenticated access

Same package: ray
Back to Threat Feed