PT-2025-9877 · Ray+1 · Ray+1

Letao Jiang

Published

2025-03-06

Updated

2025-03-06

CVE-2025-1979

CVSS v3.1

6.4

Medium

Vector

AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions ray versions prior to 2.43.0

Description The issue concerns the insertion of sensitive information into log files, specifically the redis password being logged in standard logging. This occurs when the redis password is passed as an argument. The password could potentially leak if logs are accessible to an attacker. This is only exploitable if logging is enabled, Redis uses password authentication, and the logs are reachable by an attacker.

Recommendations For versions prior to 2.43.0, update to the latest version of Ray and then rotate the redis password. As a temporary workaround, consider disabling logging or restricting access to logs to minimize the risk of exploitation.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

CVE-2025-1979

GHSA-W4RH-FGX7-Q63M

PYSEC-2025-23

Affected Products

Redis

Ray

PT-2025-9877 · Ray+1 · Ray+1

CVE-2025-1979

Weakness Enumeration

Related Identifiers

Affected Products

References · 13