Apache Log4j Vulnerability GHSA-3pxv-7cmr-fjr4: Ray Project Exposed to RCE Risk with log4j-core 2.25.3

A critical security advisory (GHSA-3pxv-7cmr-fjr4) targeting Apache Log4j's log4j-core component has been published, exposing the Ray project to potential remote code execution (RCE) or denial of service (DoS) attacks. The Ray project currently relies on log4j-core version 2.25.3, which is flagged as vulnerable, while the required safe version is 2.25.4.

Apache Log4j is a widely used logging library in Java applications, and vulnerabilities in it have historically led to widespread exploitation. The advisory, hosted on GitHub, details the affected versions and mitigation steps. Ray, a distributed computing framework, must now audit its dependency tree for both direct and transitive uses of log4j-core to assess exposure. The upgrade from 2.25.3 to 2.25.4 is the recommended fix.

This vulnerability raises immediate pressure on the Ray development team to patch, as unpatched systems could be targeted in supply chain attacks. Organizations using Ray in production environments should prioritize upgrading log4j-core to version 2.25.4 to mitigate the risk of RCE or DoS. The advisory underscores the ongoing challenge of managing transitive dependencies in complex software stacks, where a single outdated library can introduce critical security gaps.