Skip to content

[auto-cve-patch] [ray] allowlist 3 HIGH CVEs blocking ray 2.55.1 auto-release#6343

Closed
Jyothirmaikottu wants to merge 2 commits into
mainfrom
cve-patch/ray-57516
Closed

[auto-cve-patch] [ray] allowlist 3 HIGH CVEs blocking ray 2.55.1 auto-release#6343
Jyothirmaikottu wants to merge 2 commits into
mainfrom
cve-patch/ray-57516

Conversation

@Jyothirmaikottu

Copy link
Copy Markdown
Contributor

Purpose

Patch CVEs blocking the Ray auto-release security-test / ecr-vulnerability-scan gate. The scheduled Ray SageMaker and EC2 auto-releases failed because 3 non-allowlisted HIGH CVEs were flagged on the Ray 2.55.1 images.

Images affected

ray:ray-sagemaker-cpu-2.55.1, ray:ray-sagemaker-gpu-2.55.1, ray:ray-ec2-cpu-2.55.1, ray:ray-ec2-gpu-2.55.1

CVEs handled

CVE Package Severity Affected images Action Notes
CVE-2026-57516 ray 2.55.1 HIGH cpu, gpu (sagemaker + ec2) allowlist fix in ray 2.56.0; ray[serve] is an exact autorelease-managed pin (core contract), needs a Ray version bump
CVE-2026-54277 aiohttp 3.13.5 HIGH cpu, gpu (sagemaker + ec2) allowlist vendored in Ray's thirdparty_files/; cannot patch without upstream ray release
RUSTSEC-2026-0195 quick-xml 0.39.2 HIGH cpu, gpu (sagemaker + ec2) allowlist vendored in the uv binary; fix (0.41.0) not shipped in any stable uv release (latest 0.11.26 still ships 0.39.2)

Test plan

  • CI security tests pass for cpu and gpu
  • CI sanity tests pass for cpu and gpu
  • CI Ray-specific tests pass

🤖 Generated by Claude Code.

…auto-release

Ray 2.55.1 auto-release ecr-vulnerability-scan gate was blocked by 3
non-allowlisted HIGH CVEs across all sagemaker/ec2 cpu/gpu variants. All
three are forced-allowlist classes (no in-image bump available):

- CVE-2026-57516: ray 2.55.1->2.56.0 (WebDataset RCE). ray[serve] is an
  exact autorelease-managed pin (core contract); needs a Ray version bump.
- CVE-2026-54277: aiohttp 3.13.5->3.14.1. Vendored in ray thirdparty_files;
  matches 8 existing aiohttp allowlist entries.
- RUSTSEC-2026-0195: quick-xml 0.39.2->0.41.0. Vendored in the uv binary;
  fix not shipped in any stable uv release (latest 0.11.26 still 0.39.2).

Signed-off-by: Jyothirmai Kottu <jkottu@amazon.com>
jinyan-li1
jinyan-li1 previously approved these changes Jul 6, 2026
auto-merge was automatically disabled July 6, 2026 17:25

Pull request was closed

@sirutBuasai sirutBuasai deleted the cve-patch/ray-57516 branch July 9, 2026 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants