Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable data reader with no auth (PR:N) but a victim must ingest the malicious archive (UI:R); pickle deserialization yields full code execution, hence C/I/A:H and scope unchanged.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 885 pypi packages depend on ray (626 direct, 265 indirect)
Ecosystem-wide dependent count for version 2.56.0.
DescriptionCVE.org
Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function. The _default_decoder() function in webdataset_datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers on every worker that processes the malicious archive.
AnalysisAI
Remote code execution in Ray (the distributed compute/ML framework) before version 2.56.0 lets attackers run arbitrary code by feeding a malicious tar archive to the WebDataset reader. The read_webdataset() datasource invokes pickle.loads() on .pkl/.pickle entries and torch.load() with weights_only=False on .pt/.pth entries with no validation, so code executes inside every Ray remote worker that processes the archive. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a Ray Data pipeline actually invokes read_webdataset() and processes an attacker-supplied tar archive containing an entry with a .pkl, .pickle, .pt, or .pth extension - this maps to the CVSS UI:A (active user interaction) requirement, meaning a victim or automated job must ingest the malicious archive. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 score is 8.6 with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, meaning network-reachable, low-complexity, no privileges, but requiring active user interaction (a victim/pipeline must actually ingest the attacker's archive) with full confidentiality, integrity and availability impact and no scope change to other systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a WebDataset tar archive containing a .pkl (or .pt) entry whose serialized payload runs a shell command via pickle's __reduce__ mechanism, then gets it into a data pipeline - for example by uploading it to a shared dataset bucket or publishing it as a public training set. When a Ray Data job calls read_webdataset() on that archive, _default_decoder() deserializes the entry and the attacker's code executes on every Ray worker that processes the shard. … |
| Remediation | Vendor-released patch: upgrade to Ray 2.56.0 or later, which contains the fixes from pull requests https://github.com/ray-project/ray/pull/63469 and https://github.com/ray-project/ray/pull/63470. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Ray deployments and current versions in use, prioritizing production ML pipelines and distributed data processing environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system r
Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. Rated critical severity (CVSS 9.1), this vulnerability is remotely
Local file disclosure in the Ray Dashboard (default TCP port 8265) of the Ray distributed-computing framework affects al
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. Rated high sever
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. Rated high severit
Ray dashboard versions 2.53.0 and below lack proper authentication on DELETE endpoints, allowing unauthenticated attacke
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41089