CVE-2025-62593: Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack
(updated )
Developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari.
Due to the longstanding decision by the Ray Development team to not implement any sort of authentication on critical endpoints, like the /api/jobs & /api/job_agent/jobs/ has once again led to a severe vulnerability that allows attackers to execute arbitrary code against Ray. This time in a development context via the browsers Firefox and Safari.
This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the User-Agent header starting with the string “Mozilla” as a defense mechanism. This defense is insufficient as the fetch specification allows the User-Agent header to be modified.
Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising).
References
- docs.ray.io/en/releases-2.51.1/ray-security/index.html
- en.wikipedia.org/wiki/Malvertising
- github.com/advisories/GHSA-q279-jhrf-cc6v
- github.com/nccgroup/singularity/pull/68
- github.com/ray-project/ray
- github.com/ray-project/ray/blob/e7889ae542bf0188610bc8b06d274cbf53790cbd/python/ray/dashboard/http_server_head.py
- github.com/ray-project/ray/blob/f39a860436dca3ed5b9dfae84bd867ac10c84dc6/python/ray/dashboard/optional_utils.py
- github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09
- github.com/ray-project/ray/security/advisories/GHSA-q279-jhrf-cc6v
- nvd.nist.gov/vuln/detail/CVE-2025-62593
Code Behaviors & Features
Detect and mitigate CVE-2025-62593 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →