[GHSA-gx77-xgc2-4888] Ray's New Token Authentication is Disabled By Default

[acidghost]

Updates

• Affected products

Comments
Token based authentication was introduced in Ray 2.52.0 (https://github.com/ray-project/ray/releases/tag/ray-2.52.0).

[Copilot]

Pull request overview

This PR updates the security advisory GHSA-gx77-xgc2-4888 to correct the affected version range for Ray's token authentication vulnerability. The advisory now accurately reflects that the vulnerability was introduced in version 2.52.0 (when token authentication was added but disabled by default) rather than affecting all versions from 0 onwards.

Key changes:

• Updated the affected version range to specify 2.52.0 as the introduction point
• Removed the "last_affected" field since the vulnerability continues in subsequent versions
• Updated the modification timestamp

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[shelbyc]

👋 Hi @acidghost, the vulnerable version range for GHSA-gx77-xgc2-4888 is set to <= 2.52.0 because the token based authentication that was introduced in Ray 2.52.0 was intended to fix an issue, GHSA-6wgj-66m2-xxp2, that's present in previous versions of Ray. When advisories discuss incomplete fixes for vulnerabilities, the VVR usually starts with the first vulnerable version, not the first version with the incomplete fix. Therefore, I'm going to keep the advisory the way it is for now. Thanks for your interest in GHSA-gx77-xgc2-4888!