Ray Static File Local File Include

CVE-2023-6020 is a local file inclusion (LFI) vulnerability in the Ray distributed computing framework. The bug resides in the /static/ directory handler, which fails to properly sanitize user-supplied paths, enabling an attacker to traverse directories and read arbitrary files on the server without authentication [1] [3].

Exploitation requires network access to the Ray Dashboard or any service exposing the /static/ endpoint. No authentication is needed; an attacker can simply craft a malicious URL with path traversal sequences (e.g., ../) to read sensitive files such as configuration files, SSH keys, or application code [1]. The vulnerability is present in all versions prior to Ray 2.8.1 [2].

Successful exploitation allows an attacker to read any file on the server, potentially leading to information disclosure, credential theft, or further compromise of the Ray cluster [3].

A fix was released in Ray version 2.8.1, which introduces proper path validation in the static file handler [2]. Users are strongly advised to upgrade to the latest version and ensure Ray clusters are not exposed to untrusted networks [3] [4].