{"id":"GHSA-6wgj-66m2-xxp2","summary":"Ray has arbitrary code execution via jobs submission API","details":"Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.","aliases":["CVE-2023-48022"],"modified":"2026-02-04T03:51:47.840877Z","published":"2023-11-28T09:30:26Z","related":["CGA-3g55-w6q5-vh7m"],"database_specific":{"github_reviewed_at":"2025-09-30T18:19:55Z","severity":"CRITICAL","cwe_ids":["CWE-829","CWE-918"],"github_reviewed":true,"nvd_published_at":"2023-11-28T08:15:06Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48022"},{"type":"WEB","url":"https://github.com/ray-project/ray/commit/978947083b1e192dba61ef653c863b11d56b0936"},{"type":"WEB","url":"https://atlas.mitre.org/studies/AML.CS0023"},{"type":"WEB","url":"https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0"},{"type":"WEB","url":"https://console.vulncheck.com/cve/CVE-2023-48022"},{"type":"WEB","url":"https://docs.ray.io/en/latest/ray-security/index.html"},{"type":"WEB","url":"https://docs.ray.io/en/latest/ray-security/token-auth.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-xg2h-7cxj-3gvh"},{"type":"WEB","url":"https://github.com/honysyang/Ray"},{"type":"PACKAGE","url":"https://github.com/ray-project/ray"},{"type":"WEB","url":"https://www.anyscale.com/blog/update-on-ray-cve-2023-48022-new-verification-tooling-available"},{"type":"WEB","url":"https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploit"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/the-story-of-shadowray-cve-2023-48022"},{"type":"WEB","url":"https://www.vulncheck.com/blog/initial-access-intelligence-august-2024"}],"affected":[{"package":{"name":"ray","ecosystem":"PyPI","purl":"pkg:pypi/ray"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"2.49.2"}]}],"versions":["0.1.1","0.1.2","0.2.0","0.2.1","0.2.2","0.3.0","0.3.1","0.4.0","0.5.0","0.5.2","0.5.3","0.6.0","0.6.1","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.8.6","0.8.7","1.0.0","1.0.0rc0","1.0.0rc1","1.0.0rc2","1.0.1","1.0.1.post1","1.1.0","1.10.0","1.10.0rc0","1.11.0","1.11.0rc0","1.11.0rc1","1.11.1","1.12.0","1.12.0rc1","1.12.1","1.13.0","1.2.0","1.3.0","1.4.0","1.4.0rc1","1.4.0rc2","1.4.1","1.5.0","1.5.1","1.5.2","1.6.0","1.7.0","1.7.0rc0","1.7.1","1.8.0","1.9.0","1.9.0rc1","1.9.0rc2","1.9.1","1.9.1rc0","1.9.2","2.0.0","2.0.0rc0","2.0.0rc1","2.0.1","2.1.0","2.10.0","2.11.0","2.12.0","2.2.0","2.20.0","2.21.0","2.22.0","2.23.0","2.24.0","2.3.0","2.3.0rc0","2.3.1","2.30.0","2.31.0","2.32.0","2.32.0rc0","2.33.0","2.34.0","2.35.0","2.36.0","2.36.1","2.37.0","2.38.0","2.39.0","2.4.0","2.40.0","2.41.0","2.42.0","2.42.1","2.43.0","2.44.0","2.44.1","2.45.0","2.46.0","2.47.0","2.47.1","2.48.0","2.49.0","2.49.1","2.49.2","2.5.0","2.5.1","2.6.0","2.6.1","2.6.2","2.6.3","2.7.0","2.7.0rc0","2.7.1","2.7.2","2.8.0","2.8.1","2.9.0","2.9.1","2.9.2","2.9.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-6wgj-66m2-xxp2/GHSA-6wgj-66m2-xxp2.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}