CVE-2023-6020: Ray unauthenticated LFI exposes

Q: Is CVE-2023-6020 actively exploited?

A weaponized Metasploit module (auxiliary/gather/ray_lfi_cve_2023_6020) exists for CVE-2023-6020, meaning the exploit is point-and-click and the risk of opportunistic exploitation is high.

Q: How to fix CVE-2023-6020?

1) Patch immediately: upgrade ray to >= 2.8.1 across all environments (pip install 'ray>=2.8.1'). 2) If patching is not immediate: block Ray ports 8265 (dashboard), 6379 (Redis), and 10001 (object store) at the firewall — none should be internet-exposed. 3) Rotate all secrets potentially accessible on Ray nodes: cloud IAM credentials, API keys, SSH private keys, database passwords, ML platform tokens (Weights & Biases, HuggingFace, etc.). 4) Detection: grep HTTP logs for requests to /static/ containing '../', '%2e%2e', or encoded traversal sequences. 5) Inventory: scan requirements.txt, Dockerfiles, Helm charts, and deployed pods for ray < 2.8.1. 6) Long-term: enforce network segmentation for all ML infrastructure — Ray clusters should never be publicly reachable.

Q: What systems are affected by CVE-2023-6020?

This vulnerability affects the following AI/ML architecture patterns: distributed ML training clusters, model serving infrastructure, hyperparameter tuning pipelines, MLOps platforms, reinforcement learning environments.

Q: What is the CVSS score for CVE-2023-6020?

CVE-2023-6020 has a CVSS v3.1 base score of 9.3 (CRITICAL). The EPSS exploitation probability is 14.65%.

CISO Take

Any internet-exposed Ray cluster running < 2.8.1 is fully compromised — attackers can read any file on the host including cloud credentials, API keys, model weights, and training data with a single HTTP GET request. EPSS of 0.80 signals active exploitation probability; treat this as likely already hit in exposed environments. Patch to 2.8.1 immediately, restrict Ray ports to trusted networks, and rotate all secrets on affected nodes.

What is the risk?

CRITICAL. CVSS 9.3 combined with EPSS 0.80 (top 5% exploitation likelihood across all CVEs) makes this extremely high priority. Zero authentication required, zero user interaction, fully network-exploitable. Ray clusters typically run with broad filesystem access and store cloud provider credentials, making blast radius exceptionally high. Ray has no authentication on its dashboard or API by default, meaning internet-exposed deployments are trivially exploitable by anyone.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Ray	pip	< 2.8.1	`2.8.1`
42.9K OpenSSF 5.7 873 dependents Pushed 3d ago 83% patched ~139d to patch Full package profile →

Do you use Ray? You're affected.

How severe is it?

CVSS 3.1

9.3 / 10

EPSS

14.7%

chance of exploitation in 30 days

Higher than 96% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

✓ Weaponized Metasploit module (auxiliary/gather/ray_lfi_cve_2023_6020)

○ Nuclei detection template available

○ EPSS exploit prediction: 15%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Changed

C High

I Low

A None

What should I do?

1 step

1) Patch immediately: upgrade ray to >= 2.8.1 across all environments (pip install 'ray>=2.8.1'). 2) If patching is not immediate: block Ray ports 8265 (dashboard), 6379 (Redis), and 10001 (object store) at the firewall — none should be internet-exposed. 3) Rotate all secrets potentially accessible on Ray nodes: cloud IAM credentials, API keys, SSH private keys, database passwords, ML platform tokens (Weights & Biases, HuggingFace, etc.). 4) Detection: grep HTTP logs for requests to /static/ containing '../', '%2e%2e', or encoded traversal sequences. 5) Inventory: scan requirements.txt, Dockerfiles, Helm charts, and deployed pods for ray < 2.8.1. 6) Long-term: enforce network segmentation for all ML infrastructure — Ray clusters should never be publicly reachable.

How is it classified?

Data Extraction Auth Bypass Framework Training Data Model AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.1.1 - Information Security in AI System Lifecycle

NIST AI RMF

MANAGE 2.2 - AI Risk Treatment and Controls

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-6020?

Any internet-exposed Ray cluster running < 2.8.1 is fully compromised — attackers can read any file on the host including cloud credentials, API keys, model weights, and training data with a single HTTP GET request. EPSS of 0.80 signals active exploitation probability; treat this as likely already hit in exposed environments. Patch to 2.8.1 immediately, restrict Ray ports to trusted networks, and rotate all secrets on affected nodes.

Is CVE-2023-6020 actively exploited?

A weaponized Metasploit module (auxiliary/gather/ray_lfi_cve_2023_6020) exists for CVE-2023-6020, meaning the exploit is point-and-click and the risk of opportunistic exploitation is high.

How to fix CVE-2023-6020?

1) Patch immediately: upgrade ray to >= 2.8.1 across all environments (pip install 'ray>=2.8.1'). 2) If patching is not immediate: block Ray ports 8265 (dashboard), 6379 (Redis), and 10001 (object store) at the firewall — none should be internet-exposed. 3) Rotate all secrets potentially accessible on Ray nodes: cloud IAM credentials, API keys, SSH private keys, database passwords, ML platform tokens (Weights & Biases, HuggingFace, etc.). 4) Detection: grep HTTP logs for requests to /static/ containing '../', '%2e%2e', or encoded traversal sequences. 5) Inventory: scan requirements.txt, Dockerfiles, Helm charts, and deployed pods for ray < 2.8.1. 6) Long-term: enforce network segmentation for all ML infrastructure — Ray clusters should never be publicly reachable.

What systems are affected by CVE-2023-6020?

This vulnerability affects the following AI/ML architecture patterns: distributed ML training clusters, model serving infrastructure, hyperparameter tuning pipelines, MLOps platforms, reinforcement learning environments.

What is the CVSS score for CVE-2023-6020?

CVE-2023-6020 has a CVSS v3.1 base score of 9.3 (CRITICAL). The EPSS exploitation probability is 14.65%.

What is the AI security impact?

Affected AI Architectures

distributed ML training clustersmodel serving infrastructurehyperparameter tuning pipelinesMLOps platformsreinforcement learning environments

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

Exploitation Scenario

An attacker runs a Shodan query for exposed Ray dashboards (port 8265, no auth by default) and identifies targets. They craft a simple HTTP GET: 'GET /static/../../../../proc/1/environ HTTP/1.1' to extract all environment variables from the Ray head node process — instantly revealing AWS_ACCESS_KEY_ID, HUGGINGFACE_TOKEN, WANDB_API_KEY, and database connection strings. With cloud credentials in hand, they enumerate S3/GCS buckets and exfiltrate proprietary model weights and training datasets. The entire attack chain from discovery to data exfiltration takes under 5 minutes and requires no ML expertise — any script kiddie with a browser can execute it.

Weaknesses (CWE)

CWE-598 Use of GET Request Method With Sensitive Query Strings Primary CWE-862 Missing Authorization Primary

CWE-598 — Use of GET Request Method With Sensitive Query Strings: The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.

[Implementation] When sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.

Source: MITRE CWE corpus.