AI Threat Alert AI Threat Alert

CVE-2025-1979: Ray: Redis password exposed via plaintext logging

GHSA-w4rh-fgx7-q63m MEDIUM
Published March 6, 2025
CISO Take

Ray clusters using Redis password auth before v2.43.0 log credentials in plaintext — anyone with log access can pivot directly to Redis. Upgrade to Ray 2.43.0+ immediately and rotate the Redis password; patching alone does not invalidate already-leaked credentials. If logs are aggregated to a centralized stack (Splunk, ELK, CloudWatch), audit who accessed them since the Ray deployment date.

Risk Assessment

CVSS 6.4 Medium with a local attack vector understates operational risk in MLOps environments. Ray clusters routinely ship logs to shared observability platforms, effectively converting a local read into a network-accessible credential store. Redis in Ray deployments holds job queues, distributed object store metadata, and cluster state — credential theft gives an attacker meaningful leverage over active ML workloads. Low EPSS (0.032%) reflects no current active exploitation, but the post-credential attack path is straightforward and requires no AI/ML expertise.

Affected Systems

Package Ecosystem Vulnerable Range Patched
ray pip < 2.43.0 2.43.0
42.4K OpenSSF 6.2 845 dependents Pushed 6d ago 78% patched ~186d to patch Full package profile →

Do you use ray? You're affected.

Severity & Risk

CVSS 3.1
6.4 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 24% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Local
AC High
PR Low
UI None
S Changed
C High
I Low
A None

Recommended Action

6 steps

  1. PATCH

    Upgrade ray to >=2.43.0 immediately — this is the only complete fix.

  2. ROTATE

    Change the Redis password after upgrading; patching does not expire credentials already logged.

  3. AUDIT LOGS

    Search historical Ray logs for Redis password strings (look for '--redis-password' or equivalent argument patterns).

  4. REVIEW LOG ACCESS

    Identify all principals (users, services, pipelines) with access to Ray logs since deployment — centralized log aggregators amplify exposure window.

  5. MONITOR REDIS

    Enable Redis AUTH failure logging and alert on connections from unexpected source IPs.

  6. WORKAROUND (if immediate patching is blocked): Restrict Ray log file ACLs to root/ray-service account only, and disable log forwarding to shared observability stacks until patched.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Leakage Data Extraction Framework Training Data AML.T0025 AML.T0035 AML.T0037 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system security and privacy
NIST AI RMF
GOVERN 6.1 - Policies for AI risk and trustworthiness MANAGE 2.2 - Risk Treatment and Remediation
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-1979?

Ray clusters using Redis password auth before v2.43.0 log credentials in plaintext — anyone with log access can pivot directly to Redis. Upgrade to Ray 2.43.0+ immediately and rotate the Redis password; patching alone does not invalidate already-leaked credentials. If logs are aggregated to a centralized stack (Splunk, ELK, CloudWatch), audit who accessed them since the Ray deployment date.

Is CVE-2025-1979 actively exploited?

No confirmed active exploitation of CVE-2025-1979 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-1979?

1. PATCH: Upgrade ray to >=2.43.0 immediately — this is the only complete fix. 2. ROTATE: Change the Redis password after upgrading; patching does not expire credentials already logged. 3. AUDIT LOGS: Search historical Ray logs for Redis password strings (look for '--redis-password' or equivalent argument patterns). 4. REVIEW LOG ACCESS: Identify all principals (users, services, pipelines) with access to Ray logs since deployment — centralized log aggregators amplify exposure window. 5. MONITOR REDIS: Enable Redis AUTH failure logging and alert on connections from unexpected source IPs. 6. WORKAROUND (if immediate patching is blocked): Restrict Ray log file ACLs to root/ray-service account only, and disable log forwarding to shared observability stacks until patched.

What systems are affected by CVE-2025-1979?

This vulnerability affects the following AI/ML architecture patterns: distributed ML training pipelines, model serving, ML orchestration, reinforcement learning environments, multi-tenant GPU clusters.

What is the CVSS score for CVE-2025-1979?

CVE-2025-1979 has a CVSS v3.1 base score of 6.4 (MEDIUM). The EPSS exploitation probability is 0.08%.

Technical Details

NVD Description

Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password. This is only exploitable if: 1) Logging is enabled; 2) Redis is using password authentication; 3) Those logs are accessible to an attacker, who can reach that redis instance. **Note:** It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.

Exploitation Scenario

An adversary with read access to a Ray cluster's logs — through a compromised observability stack, a misconfigured S3 log bucket, or an over-permissioned developer account — searches for Redis password arguments logged at startup. Finding the plaintext credential, they authenticate directly to the Ray Redis instance. From there, they enumerate active training job queues, access distributed object store references (enabling exfiltration of intermediate model checkpoints), or inject malicious task metadata to corrupt ongoing ML runs. In a shared MLOps platform, a single leaked Redis password compromises workload isolation for all tenants on the cluster.

Weaknesses (CWE)

CWE-532 Insertion of Sensitive Information into Log File Primary

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

References

Timeline

Published
March 6, 2025
Last Modified
April 9, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2023-6019 9.8

Ray: unauthenticated RCE via dashboard command injection

Same package: ray
CRITICAL CVE-2023-48022 9.8

Ray: unauthenticated RCE via job submission API

Same package: ray
CRITICAL CVE-2023-6020 9.3

Ray: unauthenticated LFI exposes entire filesystem

Same package: ray
CRITICAL CVE-2023-6021 9.3

Ray: LFI allows unauthenticated file read

Same package: ray
MEDIUM CVE-2026-27482 5.9

ray: Missing Auth allows unauthenticated access

Same package: ray
Back to Threat Feed