Ddos 
A critical remote code execution (RCE) vulnerability has been discovered in the Ray framework, putting AI and Python developers at risk of having their systems compromised. The vulnerability, tracked as CVE-2025-62593, exploits a flaw in how Ray handles local API requests, allowing attackers to execute arbitrary code on a developer’s machine via a malicious website or advertisement.
The attack vector specifically targets users of Safari and Firefox. Google Chrome users are currently immune—not due to security compliance, but because of a bug in Chrome that prevents the specific exploit method.
Ray is a popular open-source framework used to scale machine learning workloads. Developers typically run it locally, where it listens for commands on ports like 8265. Historically, the Ray team has chosen not to implement authentication on critical local endpoints (like /api/jobs), relying instead on checking the request’s User-Agent header. If the header starts with “Mozilla,” Ray assumes the request is from a browser and blocks it to prevent cross-site attacks.
However, security researchers discovered that this defense is insufficient. The fetch API in both Firefox and Safari allows the User-Agent header to be modified programmatically.
By combining this behavior with a DNS Rebinding attack, an attacker can bypass the check. DNS rebinding tricks a victim’s browser into treating a remote attacker-controlled server and the local Ray instance as the same origin. This turns the developer’s own browser into a “confused deputy,” allowing the attacker to send authorized commands to the local Ray dashboard.
The vulnerability mechanism was theorized by @avilum (Oligo), with the full PoC and disclosure provided by @JLLeitschuh (Socket).
The Attack Scenario: From Ads to Shell Access
- The Lure: A developer running a local Ray instance visits a website hosting a malicious ad (malvertising) or falls for a phishing link.
- The Rebind: The malicious page uses a tool (like nccgroup/singularity) to perform a DNS rebinding attack, tricking the browser into communicating with localhost:8265.
- The Payload: Because the attacker can spoof the User-Agent in Safari/Firefox, the Ray dashboard accepts the request. The exploit submits a job via the /api/jobs endpoint containing shell code.
- The Impact: The malicious code executes on the developer’s machine. In the proof-of-concept (PoC), this simply popped a calculator, but in a real attack, it could grant full shell access or allow lateral movement into corporate networks.
The Ray project has released a fix in version 2.52.0. Developers are urged to update immediately to this version or higher.
- New Security Feature: Version 2.52.0 introduces a token-based authentication feature. While currently disabled by default, enabling it provides a critical layer of defense against this class of vulnerability.
- Browser Hardening: While some browsers are implementing defenses against DNS rebinding (like Chrome’s Local Network Access), these features have been inconsistent or rolled back in the past. Updating the Ray application remains the only reliable fix.
Related Posts:
- AI-Generated Malware Attacks 230,000 Exposed Ray AI Clusters in Massive ShadowRay 2.0 Botnet Campaign
- Report: 496 million IoT devices are vulnerable to DNS Rebinding Attack
- Blizzard Games exisits critical flaw that conduct DNS Rebinding attack
- Critical Flaw CVE-2025-59159 (CVSS 9.7) in SillyTavern Allows Full Remote Control of Local AI Instances
Donate