VYPR

Ray

by Ray Project

pypi: ray

Source repositories

CVEs (6)

  • CVE-2025-62593CriNov 26, 2025
    risk 0.54cvss epss 0.00

    Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the…

  • CVE-2026-41486HigMay 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing…

  • CVE-2025-1979MedMar 6, 2025
    risk 0.35cvss 6.4epss 0.00

    Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the…

  • CVE-2023-48023Nov 28, 2023
    risk 0.07cvss epss 0.35

    Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment

  • CVE-2026-32981Mar 17, 2026
    risk 0.00cvss epss 0.01

    A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to…

  • CVE-2026-27482Feb 21, 2026
    risk 0.00cvss epss 0.00

    Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page…