CVE-2023-6020 — CRITICAL (CVSS 9.3) AI Security Vulnerability

Q: Is CVE-2023-6020 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6020, increasing the risk of exploitation.

Q: How to fix CVE-2023-6020?

1) Patch immediately: upgrade ray to >= 2.8.1 across all environments (pip install 'ray>=2.8.1'). 2) If patching is not immediate: block Ray ports 8265 (dashboard), 6379 (Redis), and 10001 (object store) at the firewall — none should be internet-exposed. 3) Rotate all secrets potentially accessible on Ray nodes: cloud IAM credentials, API keys, SSH private keys, database passwords, ML platform tokens (Weights & Biases, HuggingFace, etc.). 4) Detection: grep HTTP logs for requests to /static/ containing '../', '%2e%2e', or encoded traversal sequences. 5) Inventory: scan requirements.txt, Dockerfiles, Helm charts, and deployed pods for ray < 2.8.1. 6) Long-term: enforce network segmentation for all ML infrastructure — Ray clusters should never be publicly reachable.

Q: What systems are affected by CVE-2023-6020?

This vulnerability affects the following AI/ML architecture patterns: distributed ML training clusters, model serving infrastructure, hyperparameter tuning pipelines, MLOps platforms, reinforcement learning environments.

Q: What is the CVSS score for CVE-2023-6020?

CVE-2023-6020 has a CVSS v3.1 base score of 9.3 (CRITICAL). The EPSS exploitation probability is 81.45%.

CISO Take

Any internet-exposed Ray cluster running < 2.8.1 is fully compromised — attackers can read any file on the host including cloud credentials, API keys, model weights, and training data with a single HTTP GET request. EPSS of 0.80 signals active exploitation probability; treat this as likely already hit in exposed environments. Patch to 2.8.1 immediately, restrict Ray ports to trusted networks, and rotate all secrets on affected nodes.

Risk Assessment

CRITICAL. CVSS 9.3 combined with EPSS 0.80 (top 5% exploitation likelihood across all CVEs) makes this extremely high priority. Zero authentication required, zero user interaction, fully network-exploitable. Ray clusters typically run with broad filesystem access and store cloud provider credentials, making blast radius exceptionally high. Ray has no authentication on its dashboard or API by default, meaning internet-exposed deployments are trivially exploitable by anyone.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ray	pip	< 2.8.1	`2.8.1`
42.5K OpenSSF 5.8 847 dependents Pushed today 78% patched ~186d to patch Full package profile →

Do you use ray? You're affected.

Severity & Risk

CVSS 3.1

9.3 / 10

EPSS

81.4%

chance of exploitation in 30 days

Higher than 99% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 81%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I Low

A None

Recommended Action

1 step

1) Patch immediately: upgrade ray to >= 2.8.1 across all environments (pip install 'ray>=2.8.1'). 2) If patching is not immediate: block Ray ports 8265 (dashboard), 6379 (Redis), and 10001 (object store) at the firewall — none should be internet-exposed. 3) Rotate all secrets potentially accessible on Ray nodes: cloud IAM credentials, API keys, SSH private keys, database passwords, ML platform tokens (Weights & Biases, HuggingFace, etc.). 4) Detection: grep HTTP logs for requests to /static/ containing '../', '%2e%2e', or encoded traversal sequences. 5) Inventory: scan requirements.txt, Dockerfiles, Helm charts, and deployed pods for ray < 2.8.1. 6) Long-term: enforce network segmentation for all ML infrastructure — Ray clusters should never be publicly reachable.

Classification

Data Extraction Auth Bypass Framework Training Data Model AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.1.1 - Information Security in AI System Lifecycle

NIST AI RMF

MANAGE 2.2 - AI Risk Treatment and Controls

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-6020?

Any internet-exposed Ray cluster running < 2.8.1 is fully compromised — attackers can read any file on the host including cloud credentials, API keys, model weights, and training data with a single HTTP GET request. EPSS of 0.80 signals active exploitation probability; treat this as likely already hit in exposed environments. Patch to 2.8.1 immediately, restrict Ray ports to trusted networks, and rotate all secrets on affected nodes.

Is CVE-2023-6020 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6020, increasing the risk of exploitation.

How to fix CVE-2023-6020?

1) Patch immediately: upgrade ray to >= 2.8.1 across all environments (pip install 'ray>=2.8.1'). 2) If patching is not immediate: block Ray ports 8265 (dashboard), 6379 (Redis), and 10001 (object store) at the firewall — none should be internet-exposed. 3) Rotate all secrets potentially accessible on Ray nodes: cloud IAM credentials, API keys, SSH private keys, database passwords, ML platform tokens (Weights & Biases, HuggingFace, etc.). 4) Detection: grep HTTP logs for requests to /static/ containing '../', '%2e%2e', or encoded traversal sequences. 5) Inventory: scan requirements.txt, Dockerfiles, Helm charts, and deployed pods for ray < 2.8.1. 6) Long-term: enforce network segmentation for all ML infrastructure — Ray clusters should never be publicly reachable.

What systems are affected by CVE-2023-6020?

This vulnerability affects the following AI/ML architecture patterns: distributed ML training clusters, model serving infrastructure, hyperparameter tuning pipelines, MLOps platforms, reinforcement learning environments.

What is the CVSS score for CVE-2023-6020?

CVE-2023-6020 has a CVSS v3.1 base score of 9.3 (CRITICAL). The EPSS exploitation probability is 81.45%.

Technical Details

NVD Description

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

Exploitation Scenario

An attacker runs a Shodan query for exposed Ray dashboards (port 8265, no auth by default) and identifies targets. They craft a simple HTTP GET: 'GET /static/../../../../proc/1/environ HTTP/1.1' to extract all environment variables from the Ray head node process — instantly revealing AWS_ACCESS_KEY_ID, HUGGINGFACE_TOKEN, WANDB_API_KEY, and database connection strings. With cloud credentials in hand, they enumerate S3/GCS buckets and exfiltrate proprietary model weights and training datasets. The entire attack chain from discovery to data exfiltration takes under 5 minutes and requires no ML expertise — any script kiddie with a browser can execute it.