CVE-2025-62593

Name of the Vulnerable Software and Affected Versions Ray versions prior to 2.52.0

Description Ray, an AI compute engine, is affected by a critical Remote Code Execution (RCE) issue. The problem stems from insufficient protection against browser-based attacks. The current defense relies on the User-Agent header, specifically checking for the string "Mozilla," but the fetch specification allows modification of this header. This, combined with a DNS rebinding attack, allows an attacker to execute arbitrary code through the browsers Firefox and Safari. A developer running Ray could be exploited by visiting a malicious website or being served a malicious advertisement (malvertising). Approximately 2,100 vulnerable instances have been identified. The issue is exploitable against developers using Ray as a development tool. The vulnerability is triggered through a DNS rebinding attack.

Recommendations Update to Ray version 2.52.0 or later.