ray@2.22.0 vulnerabilities

Ray provides a simple, universal API for building distributed applications.

Direct Vulnerabilities

Known vulnerabilities in the ray package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Server-side Request Forgery (SSRF)

ray is an A system for parallel and distributed Python that unifies the ML ecosystem.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the dashboard API, via the url parameter of the /log_proxy API endpoint. An attacker can retrieve the highly privileged IAM credentials required by Ray from the AWS metadata API, due to insufficient input validation within the affected parameter.

Notes:

The maintainer's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.

The maintainers have made a verification tool available to check a deployment for vulnerability to this issue: https://github.com/ray-project/ray-open-ports-checker

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for ray.

[0,)