CVE-2025-34351 - Vulnerability Details

Description

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. At the request of the MITRE TL-Root and following the CVE Program’s Dispute Policy, it has been determined that this assignment did not identify a valid vulnerability based on the vendor's product security model. Additionally, this assignment conflicts with an existing CVE (CVE-2023-48022).

Published: 2025-11-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

No data.

Vendor	Product	Confidence	Versions
Anyscale	Ray	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-gx77-xgc2-4888	Ray's New Token Authentication is Disabled By Default

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

No reference.

History

Tue, 09 Dec 2025 19:30:00 +0000

Type	Values Removed	Values Added
Description	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. At the request of the MITRE TL-Root and following the CVE Program’s Dispute Policy, it has been determined that this assignment did not identify a valid vulnerability based on the vendor's product security model.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. At the request of the MITRE TL-Root and following the CVE Program’s Dispute Policy, it has been determined that this assignment did not identify a valid vulnerability based on the vendor's product security model. Additionally, this assignment conflicts with an existing CVE (CVE-2023-48022).

Tue, 02 Dec 2025 22:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-1188
References	https://docs.ray.io/en/latest/ray-security/token-auth.html https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-w8vc-465m-jjw6 https://www.vulncheck.com/advisories/anyscale-ray-token-authentication-disabled-by-default-insecure-configuration
Metrics	cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Tue, 02 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
Description	Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. At the request of the MITRE TL-Root and following the CVE Program’s Dispute Policy, it has been determined that this assignment did not identify a valid vulnerability based on the vendor's product security model.
Title	Anyscale Ray v2.52.0 Token Authentication Disabled by Default Insecure Configuration
CPEs	cpe:2.3:a:anyscale:ray:2.52.0:::::::*
Metrics	cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`	cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Fri, 28 Nov 2025 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:anyscale:ray:2.52.0:::::::*

Thu, 27 Nov 2025 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Anyscale Anyscale ray
Vendors & Products		Anyscale Anyscale ray

Thu, 27 Nov 2025 03:00:00 +0000

Type	Values Removed	Values Added
Description		Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access.
Title		Anyscale Ray v2.52.0 Token Authentication Disabled by Default Insecure Configuration
Weaknesses		CWE-1188
References		https://docs.ray.io/en/latest/ray-security/token-auth.html https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-w8vc-465m-jjw6 https://www.vulncheck.com/advisories/anyscale-ray-token-authentication-disabled-by-default-insecure-configuration
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Anyscale Ray

MITRE

Status: REJECTED

Assigner: VulnCheck

Published: 2025-11-27T02:45:39.934Z

Updated: 2025-12-09T19:11:41.458Z

Reserved: 2025-04-15T19:15:22.589Z

Link: CVE-2025-34351

Vulnrichment

No data.

NVD

Status : Rejected

Published: 2025-11-27T03:15:58.790

Modified: 2025-12-09T20:15:53.973

Link: CVE-2025-34351

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-11-27T16:26:37Z

Weaknesses

No weakness.

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object