VulnerableCode Package Details - pkg:pypi/ray@2.8.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-bu1m-265h-f7h4 Aliases: CVE-2025-1979 PYSEC-2025-23	Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password. This is only exploitable if: 1) Logging is enabled; 2) Redis is using password authentication; 3) Those logs are accessible to an attacker, who can reach that redis instance. Note: It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.	2.43.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-bu1m-265h-f7h4
Aliases:
CVE-2025-1979
PYSEC-2025-23

Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password. This is only exploitable if: 1) Logging is enabled; 2) Redis is using password authentication; 3) Those logs are accessible to an attacker, who can reach that redis instance. **Note:** It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.

2.43.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-79ae-r9sy-kuc3	Ray Missing Authorization vulnerability LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023	CVE-2023-6020 GHSA-6cxr-8q3m-jwrr
VCID-9s66-w31a-p7gd	Ray OS Command Injection vulnerability A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.	CVE-2023-6019 GHSA-h3xg-wv58-5p43
VCID-hfx6-9t71-qkfw	Ray Path Traversal vulnerability LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023	CVE-2023-6021 GHSA-3pww-qvr8-6mhp
VCID-m5xy-sdtw-3uh7	A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure.	CVE-2026-32981 PYSEC-2026-130

Vulnerability

Summary

Aliases

VCID-79ae-r9sy-kuc3

Ray Missing Authorization vulnerability LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

CVE-2023-6020
GHSA-6cxr-8q3m-jwrr

VCID-9s66-w31a-p7gd

Ray OS Command Injection vulnerability A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.

CVE-2023-6019
GHSA-h3xg-wv58-5p43

VCID-hfx6-9t71-qkfw

Ray Path Traversal vulnerability LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

CVE-2023-6021
GHSA-3pww-qvr8-6mhp

VCID-m5xy-sdtw-3uh7

A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure.

CVE-2026-32981
PYSEC-2026-130

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:46:21.512433+00:00	GitLab Importer	Fixing	VCID-hfx6-9t71-qkfw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ray/CVE-2023-6021.yml	38.6.0
2026-06-02T04:46:21.421466+00:00	GitLab Importer	Fixing	VCID-79ae-r9sy-kuc3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ray/CVE-2023-6020.yml	38.6.0
2026-06-02T04:46:21.002272+00:00	GitLab Importer	Fixing	VCID-9s66-w31a-p7gd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ray/CVE-2023-6019.yml	38.6.0
2026-06-02T04:24:20.505799+00:00	Pypa Importer	Fixing	VCID-m5xy-sdtw-3uh7	https://github.com/pypa/advisory-database/blob/main/vulns/ray/PYSEC-2026-130.yaml	38.6.0
2026-06-02T04:22:50.528199+00:00	Pypa Importer	Affected by	VCID-bu1m-265h-f7h4	https://github.com/pypa/advisory-database/blob/main/vulns/ray/PYSEC-2025-23.yaml	38.6.0