top of page
Search

Critical Flaw in Ray AI Platform Exploited via Safari and Firefox (CVE-2025-62593)

  • Nov 26, 2025
  • 2 min read

Key Findings


  • A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-62593, has been discovered in the Ray framework.

  • The vulnerability allows attackers to execute arbitrary code on a developer's machine via a malicious website or advertisement, targeting users of Safari and Firefox.

  • The attack exploits a flaw in how Ray handles local API requests, bypassing the framework's defense mechanism that relies on checking the User-Agent header.


Background


Ray is a popular open-source framework used to scale machine learning workloads. Developers typically run it locally, where it listens for commands on ports like 8265. Historically, the Ray team has chosen not to implement authentication on critical local endpoints (like /api/jobs), relying instead on checking the request's User-Agent header. If the header starts with "Mozilla," Ray assumes the request is from a browser and blocks it to prevent cross-site attacks.


Attack Scenario: From Ads to Shell Access


1. A developer running a local Ray instance visits a website hosting a malicious ad (malvertising) or falls for a phishing link.


2. The malicious page uses a tool (like nccgroup/singularity) to perform a DNS rebinding attack, tricking the browser into communicating with localhost:8265.


3. Because the attacker can spoof the User-Agent in Safari/Firefox, the Ray dashboard accepts the request. The exploit submits a job via the /api/jobs endpoint containing shell code.


4. The malicious code executes on the developer's machine. In the proof-of-concept (PoC), this simply popped a calculator, but in a real attack, it could grant full shell access or allow lateral movement into corporate networks.


Mitigations


1. The Ray project has released a fix in version 2.52.0. Developers are urged to update immediately to this version or higher.


2. Version 2.52.0 introduces a token-based authentication feature. While currently disabled by default, enabling it provides a critical layer of defense against this class of vulnerability.


3. While some browsers are implementing defenses against DNS rebinding (like Chrome's Local Network Access), these features have been inconsistent or rolled back in the past. Updating the Ray application remains the only reliable fix.


Related Posts


  • AI-Generated Malware Attacks 230,000 Exposed Ray AI Clusters in Massive ShadowRay 2.0 Botnet Campaign

  • Report: 496 million IoT devices are vulnerable to DNS Rebinding Attack

  • Critical Flaw CVE-2025-59159 (CVSS 9.7) in SillyTavern Allows Full Remote Control of Local AI Instances


Sources


  • https://securityonline.info/critical-ray-ai-flaw-exposes-devs-via-safari-firefox-cve-2025-62593/

  • https://securityonline.info/critical-patch-nvidia-dgx-spark-flaw-cve-2025-33187-cvss-9-3-exposes-ai-secrets-to-takeover/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page