CVE-2025-62593
Description
Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the User-Agent header starting with the string "Mozilla" as a defense mechanism. This defense is insufficient as the fetch specification allows the User-Agent header to be modified. Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising). This issue has been patched in version 2.52.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rayPyPI | < 2.52.0 | 2.52.0 |
Affected products
7- Range: ray-0.1.0, ray-0.1.1, ray-0.1.2, …
- osv-coords6 versionspkg:apk/chainguard/airflow-3pkg:apk/chainguard/py3.12-vllm-cuda-12.4pkg:apk/chainguard/py3-vllm-cuda-12.4pkg:apk/chainguard/tritonserver-backend-vllm-meta-cuda-12.9pkg:apk/wolfi/airflow-3pkg:pypi/ray
< 3.2.0-r0+ 5 more
- (no CPE)range: < 3.2.0-r0
- (no CPE)range: < 0.11.2-r1
- (no CPE)range: < 0.11.2-r1
- (no CPE)range: < 25.9.0_git20251112-r1
- (no CPE)range: < 3.2.0-r0
- (no CPE)range: < 2.52.0
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-q279-jhrf-cc6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62593ghsaADVISORY
- docs.ray.io/en/releases-2.51.1/ray-security/index.htmlghsaWEB
- en.wikipedia.org/wiki/MalvertisingghsaWEB
- github.com/nccgroup/singularity/pull/68ghsaWEB
- github.com/ray-project/ray/blob/e7889ae542bf0188610bc8b06d274cbf53790cbd/python/ray/dashboard/http_server_head.pyghsaWEB
- github.com/ray-project/ray/blob/f39a860436dca3ed5b9dfae84bd867ac10c84dc6/python/ray/dashboard/optional_utils.pyghsaWEB
- github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09nvdWEB
- github.com/ray-project/ray/security/advisories/GHSA-q279-jhrf-cc6vnvdWEB
News mentions
0No linked articles in our index yet.