Summary
Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can
issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.
Details
- Middleware: python/ray/dashboard/http_server_head.py#get_browsers_no_post_put_middleware only checks POST/PUT via is_browser_request (UA/Origin/Sec-Fetch heuristics). DELETE is not gated.
- Endpoints lacking browser protection/auth by default:
- python/ray/dashboard/modules/serve/serve_head.py: @routes.delete("/api/serve/applications/") calls serve.shutdown().
- python/ray/dashboard/modules/job/job_head.py: @routes.delete("/api/jobs/{job_or_submission_id}").
- python/ray/dashboard/modules/job/job_agent.py: @routes.delete("/api/job_agent/jobs/{job_or_submission_id}") (not wrapped with deny_browser_requests either).
- Dashboard token auth is optional and off by default; binding to 0.0.0.0 is common for remote access.
PoC
Prereqs: dashboard reachable (e.g., ray start --head --dashboard-host=0.0.0.0), no token auth.
- Start Serve (or have jobs present).
- From any browser-reachable origin (DNS rebinding or same-LAN page), issue a DELETE fetch:
fetch("http://<dashboard-host>:8265/api/serve/applications/", {
method: "DELETE",
headers: { "User-Agent": "Mozilla/5.0" } // browsers set this automatically
});
Result: Serve shuts down.
3) Similarly, delete jobs:
fetch("http://<dashboard-host>:8265/api/jobs/<job_or_submission_id>", { method: "DELETE" });
fetch("http://<dashboard-agent>:52365/api/job_agent/jobs/<job_or_submission_id>", { method: "DELETE" });
Browsers will send the Mozilla UA and Origin/Sec-Fetch headers, but DELETE is not blocked by the middleware, so the requests succeed.
Impact
- Availability loss: Serve shutdown; job deletion. Triggerable via drive-by browser requests if the dashboard/agent ports are reachable and auth is disabled (default).
- No code execution from this vector, but breaks isolation/trust assumptions for “developer-only” endpoints.
Fix
The fix for this vulnerability is to update to Ray 2.54.0 or higher.
Fix PR: ray-project/ray#60526
References
qi-scape Reporter
Summary
Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can
issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.
Details
PoC
Prereqs: dashboard reachable (e.g., ray start --head --dashboard-host=0.0.0.0), no token auth.
Result: Serve shuts down.
3) Similarly, delete jobs:
fetch("http://<dashboard-host>:8265/api/jobs/<job_or_submission_id>", { method: "DELETE" });fetch("http://<dashboard-agent>:52365/api/job_agent/jobs/<job_or_submission_id>", { method: "DELETE" });Browsers will send the Mozilla UA and Origin/Sec-Fetch headers, but DELETE is not blocked by the middleware, so the requests succeed.
Impact
Fix
The fix for this vulnerability is to update to Ray 2.54.0 or higher.
Fix PR: ray-project/ray#60526
References