CVE-2025-1979
Description
Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password. This is only exploitable if: 1) Logging is enabled; 2) Redis is using password authentication; 3) Those logs are accessible to an attacker, who can reach that redis instance. **Note:** It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-1979
- https://github.com/ray-project/ray/issues/50266
- https://github.com/ray-project/ray/pull/50409
- https://github.com/ray-project/ray/commit/64a2e4010522d60b90c389634f24df77b603d85d
- https://github.com/pypa/advisory-database/tree/main/vulns/ray/PYSEC-2025-23.yaml
- https://github.com/ray-project/ray
- https://security.snyk.io/vuln/SNYK-PYTHON-RAY-8745212
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.