Skip to content

[GHSA-gx77-xgc2-4888] Ray's New Token Authentication is Disabled By Default #6526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
acidghost wants to merge 1 commit into from
Closed

[GHSA-gx77-xgc2-4888] Ray's New Token Authentication is Disabled By Default #6526

acidghost wants to merge 1 commit into from
+2 −5

Conversation

@acidghost
Copy link

@acidghost acidghost commented Dec 10, 2025

Updates

  • Affected products

Comments
Token based authentication was introduced in Ray 2.52.0 (https://github.com/ray-project/ray/releases/tag/ray-2.52.0).

Copilot AI review requested due to automatic review settings December 10, 2025 06:04
@github-actions github-actions bot changed the base branch from main to acidghost/advisory-improvement-6526 December 10, 2025 06:06
Copilot AI reviewed Dec 10, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the security advisory GHSA-gx77-xgc2-4888 to correct the affected version range for Ray's token authentication vulnerability. The advisory now accurately reflects that the vulnerability was introduced in version 2.52.0 (when token authentication was added but disabled by default) rather than affecting all versions from 0 onwards.

Key changes:

  • Updated the affected version range to specify 2.52.0 as the introduction point
  • Removed the "last_affected" field since the vulnerability continues in subsequent versions
  • Updated the modification timestamp

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@shelbyc
Copy link
Contributor

shelbyc commented Dec 10, 2025

👋 Hi @acidghost, the vulnerable version range for GHSA-gx77-xgc2-4888 is set to <= 2.52.0 because the token based authentication that was introduced in Ray 2.52.0 was intended to fix an issue, GHSA-6wgj-66m2-xxp2, that's present in previous versions of Ray. When advisories discuss incomplete fixes for vulnerabilities, the VVR usually starts with the first vulnerable version, not the first version with the incomplete fix. Therefore, I'm going to keep the advisory the way it is for now. Thanks for your interest in GHSA-gx77-xgc2-4888!

@shelbyc shelbyc closed this Dec 10, 2025
@github-actions github-actions bot deleted the acidghost-GHSA-gx77-xgc2-4888 branch December 10, 2025 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@acidghost @shelbyc