GHSA-mw35-8rx3-xf9r: Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization
highvulnerability
security
Summary
Ray Data registers custom Arrow extension types (special data format handlers) globally in PyArrow, and when PyArrow reads a Parquet file (a data storage format) containing these types, it automatically deserializes metadata bytes using cloudpickle.loads(), which can execute arbitrary code. This vulnerability was reintroduced in July 2025 after a similar issue was supposedly fixed in May 2024, allowing attackers to run malicious code just by having Ray read a specially crafted Parquet file.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
April 24, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Taxonomy References
MITRE ATLAS (AI/ML Threat Technique)
Affected Vendors
HuggingFace
Affected Packages
ray@>= 2.49.0, < 2.55.0 (fixed: 2.55.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-mw35-8rx3-xf9r
First tracked: April 24, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%