Auth Bypass in Anyscale

Anyscale provides managed Ray clusters where users typically deploy machine‑learning models with Ray Serve. By default, a Ray Serve HTTP endpoint is created without any authentication layer. If the cluster is launched with authentication disabled (the common setting for development or quick‑test environments), the generated /predict, /health, or custom routes are reachable by anyone who can resolve the cluster’s public DNS name.

Consider a typical deployment using the Anyscale Python SDK:

import anyscale
from anyscale import SDK

sdk = SDK()
cluster = sdk.clusters.get("my‑cluster")

# Deploy a Ray Serve service without explicitly requiring auth
serve_config = {
    "name": "model-service",
    "route_prefix": "/predict",
    "import_path": "my_model:app",
    "runtime_env": {"pip": ["torch"]}
}
sdk.services.deploy(cluster.id, serve_config)

The resulting service listens on https://<cluster-domain>/predict and will accept any HTTP request, regardless of whether a valid Anyscale token is present. An attacker can therefore:

• Send arbitrary payloads to the model endpoint, potentially causing resource exhaustion or data leakage.
• Access internal Ray debugging endpoints (e.g., /api/serve/applications/) that expose task metadata and internal IP addresses.
• Leverage the exposed endpoint as a proxy for SSRF or to exfiltrate model weights.

This pattern maps directly to OWASP API Top 10 2023 API2:2023 – Broken Authentication, and has been observed in real‑world incidents such as CVE‑2021‑3156 (privilege escalation via misconfigured service bindings) and multiple reports of unauthenticated Ray Serve endpoints in public bug‑bounty programs.

middleBrick’s unauthenticated black‑box scan includes the Authentication check, which probes each discovered endpoint for missing or ineffective authentication controls. When pointed at an Anyscale cluster URL, the scanner will:

1. Enumerate routes via standard HTTP methods (GET, POST, PUT, DELETE) and common API prefixes (/predict, /health, /api/serve/).
2. Issue requests without any Authorization header or with invalid tokens.
3. Mark an endpoint as vulnerable if it returns a successful status code (2xx) and returns meaningful data (e.g., JSON payload, model inference result).
4. Correlate findings with the BOLA/IDOR and Property Authorization checks to highlight cases where an endpoint is both unauthenticated and exposes object‑level data.

Example CLI usage:

middlebrick scan https://my-cluster.anyscale.app/predict

Typical JSON output (truncated for clarity):

{
  "score": 42,
  "grade": "F",
  "findings": [
    {
      "id": "auth-001",
      "name": "Missing authentication on endpoint",
      "description": "The /predict endpoint returns model inference results without requiring a valid Anyscale token.",
      "severity": "high",
      "remediation": "Enable authentication on the cluster or add a middleware that validates the Bearer token against Anyscale’s token introspection endpoint."
    }
  ]
}

In a CI/CD pipeline, the GitHub Action can be configured to fail a pull request if the score drops below a chosen threshold:

name: API Security Check
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run middleBrick scan
        uses: middlebrick/github-action@v1
        with:
          api-url: https://my-cluster.anyscale.app
          fail-below: "C"   # fail if grade is worse than C

Thus, middleBrick provides repeatable, automated detection of auth‑bypass exposure in Anyscale‑hosted APIs without requiring agents, credentials, or internal access.

Remediation relies on Anyscale’s native security features rather than external patches. The goal is to ensure every externally reachable endpoint validates a valid Anyscale bearer token before processing the request.

1. Enable authentication at cluster creation

When provisioning a cluster via the Anyscale CLI or SDK, set the --auth-enabled flag (or auth_enabled: true in the SDK). This forces the control plane to issue and validate JWT‑style tokens for all ingress traffic.

anyscale cluster create \
  --name prod-cluster \
  --auth-enabled \
  --instance-type AWS::t3.medium \
  --min-workers 2 \
  --max-workers 10

If a cluster is already running, you can update it:

anyscale cluster update  --set auth_enabled=true

After enabling, the cluster’s ingress controller will reject any request lacking a valid Authorization: Bearer <token> header with a 401 response.

2. Add token validation middleware to Ray Serve deployments

For fine‑grained control (e.g., exempting a health‑check endpoint), deploy a custom ASGI middleware that checks the token against Anyscale’s public key or token introspection endpoint.

import jwt
import requests
from starlette.middleware.base import BaseHTTPMiddleware
from starlette.requests import Request
from starlette.responses import Response

ANSCALE_TOKEN_INFO_URL = "https://api.anyscale.com/v1/token/introspect"

class AnyscaleAuthMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request: Request, call_next):
        auth = request.headers.get("Authorization")
        if not auth or not auth.startswith("Bearer "):
            return Response("Unauthorized", status_code=401)
        token = auth.split()[1]
        try:
            # Option 1: verify signature with Anyscale’s public key