CVE-2025-1979: 
Chainguard vulnerability analysis and mitigation

Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File (CVE-2025-1979), discovered on February 11, 2025 and disclosed on March 6, 2025. The vulnerability affects the ray package's standard logging functionality where redis passwords are being exposed in logs (Snyk Advisory, NVD).

The vulnerability occurs when redis password is passed as an argument to the ray client server, where it gets logged in plaintext in the standard logging output. The issue was identified in the server.py file where the logger.info() function was directly logging the args parameter containing sensitive credentials. The vulnerability has been assigned CWE-532 (Insertion of Sensitive Information into Log File) with a CVSS v4.0 score of 5.7 (MEDIUM) and CVSS v3.1 score of 6.4 (MEDIUM) (NVD, Snyk Advisory).

If exploited, this vulnerability could lead to the exposure of redis passwords through log files. The impact is significant for confidentiality but requires specific conditions to be exploitable: 1) Logging must be enabled, 2) Redis must be using password authentication, and 3) The logs must be accessible to an attacker who can reach the redis instance (Snyk Advisory).

The vulnerability has been patched in ray version 2.43.0. Users are strongly recommended to upgrade to this version or higher. Additionally, after updating, it is recommended to rotate redis passwords as a precautionary measure. The fix involves redacting the redis password in logs by replacing it with asterisks before logging (GitHub Commit, Snyk Advisory).

The vulnerability was initially reported through GitHub issues and received prompt attention from the ray project maintainers. The fix was implemented and merged within a week of discovery, demonstrating the project's commitment to security. The community response was positive, with the fix being subsequently incorporated into dependent projects (GitHub Issue, GitHub PR).