Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/ray@2.49.2
purl pkg:pypi/ray@2.49.2
Next non-vulnerable version 2.55.0
Latest non-vulnerable version 2.55.0
Risk 10.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-25r5-wdzx-cqhu
Aliases:
CVE-2026-27482
GHSA-q5fh-2hc8-f6rq
Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion) Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.
2.54.0
Affected by 1 other vulnerability.
VCID-c8b7-h6ah-v7au
Aliases:
CVE-2025-62593
GHSA-q279-jhrf-cc6v
Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack Developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. Due to the longstanding [decision](https://docs.ray.io/en/releases-2.51.1/ray-security/index.html) by the Ray Development team to not implement any sort of authentication on critical endpoints, like the `/api/jobs` & `/api/job_agent/jobs/` has once again led to a severe vulnerability that allows attackers to execute arbitrary code against Ray. This time in a development context via the browsers Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the `User-Agent` header starting with the string "Mozilla" as a defense mechanism. This defense is insufficient as the fetch specification allows the `User-Agent` header to be modified. Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement ([malvertising](https://en.wikipedia.org/wiki/Malvertising)).
2.52.0
Affected by 3 other vulnerabilities.
VCID-e8qj-xgec-nfb2
Aliases:
CVE-2026-41486
GHSA-mw35-8rx3-xf9r
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization Ray Data registers custom Arrow extension types (`ray.data.arrow_tensor`, `ray.data.arrow_tensor_v2`, `ray.data.arrow_variable_shaped_tensor`) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls `__arrow_ext_deserialize__` on the field's metadata bytes. Ray's implementation passes these bytes directly to `cloudpickle.loads()`, achieving arbitrary code execution during schema parsing, before any row data is read. In May 2024, Ray fixed a related vulnerability in `PyExtensionType`-based extension types ([issue #41314](https://github.com/ray-project/ray/issues/41314), [PR #45084](https://github.com/ray-project/ray/pull/45084)). In July 2025, [PR #54831](https://github.com/ray-project/ray/pull/54831) introduced `cloudpickle.loads()` into the replacement extension types' deserialization path, reintroducing the same class of vulnerability. ## Impact - **Affected versions**: Ray 2.49.0 through 2.54.0 (latest release as of March 2026). The vulnerable `_deserialize_with_fallback` function with `cloudpickle.loads()` was introduced in commit `f6d21db1a4` ([PR #54831](https://github.com/ray-project/ray/pull/54831), July 2025), first released in Ray 2.49.0. - **Affected configurations**: Any process that uses Ray Data and reads Parquet files. The extension types are registered globally in PyArrow, so all Parquet reads in the process are affected, including `ray.data.read_parquet()`, `pyarrow.parquet.read_table()`, `pandas.read_parquet()`, etc. - **Attacker prerequisites**: The attacker must place a crafted Parquet file where a Ray Data pipeline reads it. No authentication or cluster access is required. The Parquet file must contain a column with a `ray.data.arrow_tensor` (or v2, or variable-shaped) extension type name, which makes this a targeted attack against Ray Data users.
2.55.0
Affected by 0 other vulnerabilities.
VCID-kd8z-ysxx-d3gd
Aliases:
CVE-2025-34351
GHSA-gx77-xgc2-4888
Ray's New Token Authentication is Disabled By Default Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access. There are no reported fixed by versions.
VCID-wjjq-cmu6-sqbb
Aliases:
CVE-2023-48022
GHSA-6wgj-66m2-xxp2
Ray has arbitrary code execution via jobs submission API Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T08:17:12.450582+00:00 GitLab Importer Affected by VCID-e8qj-xgec-nfb2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ray/CVE-2026-41486.yml 38.6.0
2026-06-06T06:55:56.468223+00:00 GitLab Importer Affected by VCID-25r5-wdzx-cqhu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ray/CVE-2026-27482.yml 38.6.0
2026-06-06T06:27:27.106220+00:00 GitLab Importer Affected by VCID-kd8z-ysxx-d3gd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ray/CVE-2025-34351.yml 38.6.0
2026-06-06T06:27:20.079782+00:00 GitLab Importer Affected by VCID-c8b7-h6ah-v7au https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ray/CVE-2025-62593.yml 38.6.0
2026-06-02T04:46:26.662944+00:00 GitLab Importer Affected by VCID-wjjq-cmu6-sqbb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ray/CVE-2023-48022.yml 38.6.0