Update dependency ray to v2.56.0 [SECURITY]#57
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Contributor
Author
|
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
October 14, 2025 23:19
531ac73 to
eb91da0
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
November 28, 2025 20:05
eb91da0 to
aeef1f8
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 5, 2025 16:15
aeef1f8 to
1d53237
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 6, 2025 10:44
1d53237 to
36cee51
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 8, 2025 19:48
36cee51 to
10b2330
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 11, 2025 23:34
10b2330 to
908b311
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 13, 2025 04:16
908b311 to
35d72fc
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 18, 2025 07:58
35d72fc to
8da4b47
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 21, 2025 03:09
8da4b47 to
345ddf0
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 23, 2025 00:01
345ddf0 to
3554772
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 23, 2025 20:00
3554772 to
260d59c
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 25, 2025 06:39
260d59c to
89dadf5
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 28, 2025 07:04
89dadf5 to
5f45548
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
December 29, 2025 16:02
5f45548 to
1bb47d4
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
January 11, 2026 11:07
834bc21 to
02080c1
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
January 12, 2026 08:38
02080c1 to
03021df
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
January 13, 2026 19:45
03021df to
2da8f44
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
January 20, 2026 03:08
2da8f44 to
a57a807
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
January 21, 2026 18:37
a57a807 to
52d1c40
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
January 22, 2026 17:46
52d1c40 to
7ea00d5
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
January 26, 2026 08:02
7ea00d5 to
e4de403
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
3 times, most recently
from
February 2, 2026 03:43
89fd7c9 to
65a752d
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
February 4, 2026 06:03
65a752d to
326eb5d
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
February 4, 2026 20:32
326eb5d to
7a08416
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
February 6, 2026 00:18
7a08416 to
2da472c
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
February 6, 2026 10:10
2da472c to
6147f36
Compare
renovate
Bot
force-pushed
the
renovate/pypi-ray-vulnerability
branch
from
February 8, 2026 04:00
6147f36 to
7c1ad3f
Compare
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~=2.21.0→~=2.56.0~=2.48.0→~=2.56.0==2.43.0→==2.56.0==2.21.0→==2.56.0==2.48.0→==2.56.0ray vulnerable to Insertion of Sensitive Information into Log File
CVE-2025-1979 / GHSA-w4rh-fgx7-q63m
More information
Details
Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password.
This is only exploitable if:
Logging is enabled;
Redis is using password authentication;
Those logs are accessible to an attacker, who can reach that redis instance.
Note:
It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.
Severity
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
ray vulnerable to Insertion of Sensitive Information into Log File
CVE-2025-1979 / GHSA-w4rh-fgx7-q63m / PYSEC-2025-23
More information
Details
Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password.
This is only exploitable if:
Logging is enabled;
Redis is using password authentication;
Those logs are accessible to an attacker, who can reach that redis instance.
Note:
It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.
Severity
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2025-1979 / GHSA-w4rh-fgx7-q63m / PYSEC-2025-23
More information
Details
Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password.
This is only exploitable if:
Logging is enabled;
Redis is using password authentication;
Those logs are accessible to an attacker, who can reach that redis instance.
Note:
It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.
Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Ray has arbitrary code execution via jobs submission API
CVE-2023-48022 / GHSA-6wgj-66m2-xxp2 / PYSEC-2026-517
More information
Details
Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Ray has arbitrary code execution via jobs submission API
CVE-2023-48022 / GHSA-6wgj-66m2-xxp2 / PYSEC-2026-517
More information
Details
Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Ray's New Token Authentication is Disabled By Default
CVE-2025-34351 / GHSA-gx77-xgc2-4888 / PYSEC-2026-518
More information
Details
Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack
CVE-2025-62593 / GHSA-q279-jhrf-cc6v / PYSEC-2026-520
More information
Details
Summary
Developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari.
Due to the longstanding decision by the Ray Development team to not implement any sort of authentication on critical endpoints, like the
/api/jobs&/api/job_agent/jobs/has once again led to a severe vulnerability that allows attackers to execute arbitrary code against Ray. This time in a development context via the browsers Firefox and Safari.This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the
User-Agentheader starting with the string "Mozilla" as a defense mechanism. This defense is insufficient as the fetch specification allows theUser-Agentheader to be modified.Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising).
Details
The mitigations implemented to protect against browser based attacks against local Ray nodes are insufficient.
Current Mitigation Strategies
https://github.com/ray-project/ray/blob/f39a860436dca3ed5b9dfae84bd867ac10c84dc6/python/ray/dashboard/optional_utils.py#L129-L155
https://github.com/ray-project/ray/blob/e7889ae542bf0188610bc8b06d274cbf53790cbd/python/ray/dashboard/http_server_head.py#L184-L196
This is because the fundamental assumption that the
User-Agentheader can't be manipulated is incorrect. In Firefox and in Safari, thefetchAPI allows theUser-Agentheader to be set to a different value. Chrome is not vulnerable, ironically, because of a bug, bringing it out of spec with thefetchspecification.Exploiting this vulnerability requires a DNS rebinding attack against the browser. Something trivially done by modern tooling like nccgroup/singularity.
PoC
Please note, this full PoC will be going live at time of disclosure.
ray start --head --port=63798265Ray Jobs RCE (default port 8265)If this attack doesn't work, consider clicking the "Toggle Advanced Options" and trying an alternative "Rebinding Strategy". I've personally been able to get this attack to work multiple times on MacOS on multiple different residential networks around the Seattle area. Some corporate networks may block DNS rebinding attacks, but likely not many.
What's going on?
This is the payload running in nccgroup/singularity:
See: https://github.com/nccgroup/singularity/pull/68
Impact
This vulnerability impacts developers running development/testing environments with Ray. If they fall victim to a phishing attack, or are served a malicious ad, they can be exploited and arbitrary shell code can be executed on their developer machine.
This attack can also be leveraged to attack network-adjacent instance of ray by leveraging the browser as a confused deputy intermediary to attack ray instances running inside a private corporate network.
Fix
The fix for this vulnerability is to update to Ray 2.52.0 or higher. This version also, finally, adds a disabled-by-default authentication feature that can further harden against this vulnerability: https://docs.ray.io/en/latest/ray-security/token-auth.html
Fix commit: ray-project/ray@70e7c72
Several browsers have, after knowing about the attack for 19 years, recently begun hardening against DNS rebinding. (Chrome Local Network Access). These changes may protect you, but a previous initiative, "private network access" was rolled back. So updating is highly recommended as a defense-in-depth strategy.
Credit
The fetch bypass was originally theorized by @avilum at Oligo. The DNS rebinding step, full POC, and disclosure was by @JLLeitschuh while at Socket.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Ray's New Token Authentication is Disabled By Default
CVE-2025-34351 / GHSA-gx77-xgc2-4888 / PYSEC-2026-518
More information
Details
Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack
CVE-2025-62593 / GHSA-q279-jhrf-cc6v / PYSEC-2026-520
More information
Details
Summary
Developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari.
Due to the longstanding decision by the Ray Development team to not implement any sort of authentication on critical endpoints, like the
/api/jobs&/api/job_agent/jobs/has once again led to a severe vulnerability that allows attackers to execute arbitrary code against Ray. This time in a development context via the browsers Firefox and Safari.This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the
User-Agentheader starting with the string "Mozilla" as a defense mechanism. This defense is insufficient as the fetch specification allows theUser-Agentheader to be modified.Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising).
Details
The mitigations implemented to protect against browser based attacks against local Ray nodes are insufficient.
Current Mitigation Strategies
https://github.com/ray-project/ray/blob/f39a860436dca3ed5b9dfae84bd867ac10c84dc6/python/ray/dashboard/optional_utils.py#L129-L155
https://github.com/ray-project/ray/blob/e7889ae542bf0188610bc8b06d274cbf53790cbd/python/ray/dashboard/http_server_head.py#L184-L196
This is because the fundamental assumption that the
User-Agentheader can't be manipulated is incorrect. In Firefox and in Safari, thefetchAPI allows theUser-Agentheader to be set to a different value. Chrome is not vulnerable, ironically, because of a bug, bringing it out of spec with thefetchspecification.Exploiting this vulnerability requires a DNS rebinding attack against the browser. Something trivially done by modern tooling like nccgroup/singularity.
PoC
Please note, this full PoC will be going live at time of disclosure.
ray start --head --port=63798265Ray Jobs RCE (default port 8265)If this attack doesn't work, consider clicking the "Toggle Advanced Options" and trying an alternative "Rebinding Strategy". I've personally been able to get this attack to work multiple times on MacOS on multiple different residential networks around the Seattle area. Some corporate networks may block DNS rebinding attacks, but likely not many.
What's going on?
This is the payload running in nccgroup/singularity:
See: https://github.com/nccgroup/singularity/pull/68
Impact
This vulnerability impacts developers running development/testing environments with Ray. If they fall victim to a phishing attack, or are served a malicious ad, they can be exploited and arbitrary shell code can be executed on their developer machine.
This attack can also be leveraged to attack network-adjacent instance of ray by leveraging the browser as a confused deputy intermediary to attack ray instances running inside a private corporate network.
Fix
The fix for this vulnerability is to update to Ray 2.52.0 or higher. This version also, finally, adds a disabled-by-default authentication feature that can further harden against this vulnerability: https://docs.ray.io/en/latest/ray-security/token-auth.html
Fix commit: ray-project/ray@70e7c72
Several browsers have, after knowing about the attack for 19 years, recently begun hardening against DNS rebinding. (Chrome Local Network Access). These changes may protect you, but a previous initiative, "private network access" was rolled back. So updating is highly recommended as a defense-in-depth strategy.
Credit
The fetch bypass was originally theorized by @avilum at Oligo. The DNS rebinding step, full POC, and disclosure was by @JLLeitschuh while at Socket.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HReferences
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)
CVE-2026-27482 / GHSA-q5fh-2hc8-f6rq / PYSEC-2026-2271
More information
Details
Summary
Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can
issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.
Details
PoC
Prereqs: dashboard reachable (e.g., ray start --head --dashboard-host=0.0.0.0), no token auth.
Result: Serve shuts down.
3) Similarly, delete jobs:
fetch("http://<dashboard-host>:8265/api/jobs/<job_or_submission_id>", { method: "DELETE" });fetch("http://<dashboard-agent>:52365/api/job_agent/jobs/<job_or_submission_id>", { method: "DELETE" });Browsers will send the Mozilla UA and Origin/Sec-Fetch headers, but DELETE is not blocked by the middleware, so the requests succeed.
Impact
Fix
The fix for this vulnerability is to update to Ray 2.54.0 or higher.
Fix PR: https://github.com/ray-project/ray/pull/60526
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2026-27482 / GHSA-q5fh-2hc8-f6rq / PYSEC-2026-2271
More information
Details
Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:HReferences
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
CVE-2026-41486 / GHSA-mw35-8rx3-xf9r / PYSEC-2026-2272 / PYSEC-2026-2296
More information
Details
Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls arrow_ext_deserialize on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
CVE-2026-57516 / GHSA-hhrp-gw25-jr43 / PYSEC-2026-2273
More information
Details
Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function. The _default_decoder() function in webdataset_datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers on every worker that processes the malicious archive.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XReferences
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Release Notes
ray-project/ray (ray)
v2.56.0Compare Source
Highlights
iter_batchesstability by reducing hidden buffering and shutting down the executor when consumers exit early (#63660, #63682, #62949). This reduces object-store spilling for common training workloadsConfiguration
📅 Schedule: (in timezone America/Toronto)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.