CVE-2025-34351
BaseFortify
Publication date: 2025-11-27
Last updated on: 2025-12-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anyscale | ray | 2.52.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists because Anyscale Ray 2.52.0 has an insecure default configuration where token-based authentication for management interfaces like the dashboard and Jobs API is disabled unless explicitly enabled. This means that by default, anyone with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster without needing authentication.
How can this vulnerability impact me? :
The vulnerability can allow a remote attacker with network access to the Ray management interfaces to submit unauthorized jobs and execute arbitrary code on the cluster. This can lead to unauthorized control over the cluster, potential data breaches, service disruption, and other security risks.
What immediate steps should I take to mitigate this vulnerability?
Enable token-based authentication for Ray management interfaces by setting the environment variable RAY_AUTH_MODE=token to protect your cluster from unauthorized access.