CVE-2025-34351 - Vulnerability Details

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. At the request of the MITRE TL-Root and following the CVE Program’s Dispute Policy, it has been determined that this assignment did not identify a valid vulnerability based on the vendor's product security model.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Anyscale	Ray

No data.

References

No reference.

History

Tue, 02 Dec 2025 22:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-1188
References	https://docs.ray.io/en/latest/ray-security/token-auth.html https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-w8vc-465m-jjw6 https://www.vulncheck.com/advisories/anyscale-ray-token-authentication-disabled-by-default-insecure-configuration
Metrics	cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Tue, 02 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
Description	Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. At the request of the MITRE TL-Root and following the CVE Program’s Dispute Policy, it has been determined that this assignment did not identify a valid vulnerability based on the vendor's product security model.
Title	Anyscale Ray v2.52.0 Token Authentication Disabled by Default Insecure Configuration
CPEs	cpe:2.3:a:anyscale:ray:2.52.0:::::::*
Metrics	cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`	cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Fri, 28 Nov 2025 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:anyscale:ray:2.52.0:::::::*

Thu, 27 Nov 2025 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Anyscale Anyscale ray
Vendors & Products		Anyscale Anyscale ray

Thu, 27 Nov 2025 03:00:00 +0000

Type	Values Removed	Values Added
Description		Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access.
Title		Anyscale Ray v2.52.0 Token Authentication Disabled by Default Insecure Configuration
Weaknesses		CWE-1188
References		https://docs.ray.io/en/latest/ray-security/token-auth.html https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-w8vc-465m-jjw6 https://www.vulncheck.com/advisories/anyscale-ray-token-authentication-disabled-by-default-insecure-configuration
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`