Description
Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function. The _default_decoder() function in webdataset_datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers on every worker that processes the malicious archive.
Problem types
Deserialization of Untrusted Data
Product status
Any version before 2.56.0
Credits
jeremysommerfeld8910-cpu
shakevsky
alexchenai
SSJCorpSec
thesecguy45
sfwani
Rahul Karne
References
github.com/...ct/ray/security/advisories/GHSA-hhrp-gw25-jr43
github.com/ray-project/ray/releases/tag/ray-2.56.0 (Release Notes)
github.com/...ct/ray/security/advisories/GHSA-hhrp-gw25-jr43 (GitHub Security Advisory (GHSA-hhrp-gw25-jr43))
github.com/ray-project/ray/pull/63469 (Fix PR (1))
github.com/ray-project/ray/pull/63470 (Fix PR (2))
www.vulncheck.com/...serialization-rce-via-webdataset-reader