CVE-2023-6021 — CRITICAL (CVSS 9.3) AI Security Vulnerability

Q: Is CVE-2023-6021 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6021, increasing the risk of exploitation.

Q: How to fix CVE-2023-6021?

1. Patch immediately: upgrade to Ray 2.8.1+. 2. If patching is blocked, restrict network access to Ray ports (8265, 8000, 6379, 10001) via firewall — these must never be internet-facing. 3. Assume compromise if Ray was network-accessible before patching: rotate all credentials stored on Ray nodes (cloud keys, API tokens, SSH keys, DB passwords). 4. Enable access logging on Ray endpoints and alert on path traversal patterns (../, ..\, %2e%2e%2f). 5. Deploy Ray behind an authenticated reverse proxy if network isolation is not immediately feasible. 6. Audit Ray node filesystems for secrets using tools like truffleHog or gitleaks.

Q: What systems are affected by CVE-2023-6021?

This vulnerability affects the following AI/ML architecture patterns: distributed training pipelines, model serving, hyperparameter tuning, reinforcement learning environments, MLOps pipelines.

Q: What is the CVSS score for CVE-2023-6021?

CVE-2023-6021 has a CVSS v3.1 base score of 9.3 (CRITICAL). The EPSS exploitation probability is 87.32%.

CISO Take

Any Ray cluster reachable over the network is critically exposed — no credentials required to read arbitrary server files including API keys, cloud credentials, and model artifacts. With an EPSS of 0.87, exploitation is highly probable and likely active. Patch to Ray 2.8.1+ immediately; if patching is blocked, isolate Ray nodes from public networks and treat all secrets stored on Ray nodes as compromised.

Risk Assessment

Critical. CVSS 9.3 (network-accessible, no auth, no user interaction, high confidentiality impact) combined with EPSS 0.87317 signals active or near-certain exploitation in the wild. Ray clusters are common in cloud ML environments and frequently misconfigured with port 8265 or 8000 exposed. AI/ML infrastructure is a high-value target due to the concentration of credentials, proprietary models, and sensitive training data on compute nodes.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ray	pip	< 2.8.1	`2.8.1`
42.4K OpenSSF 6.2 845 dependents Pushed 6d ago 78% patched ~186d to patch Full package profile →

Do you use ray? You're affected.

Severity & Risk

CVSS 3.1

9.3 / 10

EPSS

87.3%

chance of exploitation in 30 days

Higher than 99% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 87%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I Low

A None

Recommended Action

6 steps

Patch immediately: upgrade to Ray 2.8.1+.
If patching is blocked, restrict network access to Ray ports (8265, 8000, 6379, 10001) via firewall — these must never be internet-facing.
Assume compromise if Ray was network-accessible before patching: rotate all credentials stored on Ray nodes (cloud keys, API tokens, SSH keys, DB passwords).
Enable access logging on Ray endpoints and alert on path traversal patterns (../, ..\, %2e%2e%2f).
Deploy Ray behind an authenticated reverse proxy if network isolation is not immediately feasible.
Audit Ray node filesystems for secrets using tools like truffleHog or gitleaks.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Inference AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1 - AI system security and resilience

NIST AI RMF

MANAGE-2.2 - Risk response — sustaining deployed AI value

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-6021?

Any Ray cluster reachable over the network is critically exposed — no credentials required to read arbitrary server files including API keys, cloud credentials, and model artifacts. With an EPSS of 0.87, exploitation is highly probable and likely active. Patch to Ray 2.8.1+ immediately; if patching is blocked, isolate Ray nodes from public networks and treat all secrets stored on Ray nodes as compromised.

Is CVE-2023-6021 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6021, increasing the risk of exploitation.

How to fix CVE-2023-6021?

1. Patch immediately: upgrade to Ray 2.8.1+. 2. If patching is blocked, restrict network access to Ray ports (8265, 8000, 6379, 10001) via firewall — these must never be internet-facing. 3. Assume compromise if Ray was network-accessible before patching: rotate all credentials stored on Ray nodes (cloud keys, API tokens, SSH keys, DB passwords). 4. Enable access logging on Ray endpoints and alert on path traversal patterns (../, ..\, %2e%2e%2f). 5. Deploy Ray behind an authenticated reverse proxy if network isolation is not immediately feasible. 6. Audit Ray node filesystems for secrets using tools like truffleHog or gitleaks.

What systems are affected by CVE-2023-6021?

This vulnerability affects the following AI/ML architecture patterns: distributed training pipelines, model serving, hyperparameter tuning, reinforcement learning environments, MLOps pipelines.

What is the CVSS score for CVE-2023-6021?

CVE-2023-6021 has a CVSS v3.1 base score of 9.3 (CRITICAL). The EPSS exploitation probability is 87.32%.

Technical Details

NVD Description

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

Exploitation Scenario

Adversary scans internet-facing hosts for Ray dashboard (port 8265) or Ray Serve (port 8000) — both commonly exposed in misconfigured cloud ML environments. Once a Ray instance is identified, attacker sends a crafted GET request to the log API endpoint with a path traversal payload targeting high-value files: ../../../../root/.env (API keys), ../../../../home/ubuntu/.aws/credentials (cloud access), ../../../../root/.ssh/id_rsa (SSH private key). With credentials harvested, attacker pivots from the ML cluster to broader cloud infrastructure, CI/CD pipelines, or model registries. EPSS of 0.87 indicates this exploit pattern is already operational.