py3-vllm-cuda-12.4
Chainguard
Status
Impact
The commons-lang3 @ 3.13.0 vulnerability exists in bundled/shaded JARs within Ray's distribution that cannot be updated through VLLM's build process. The vulnerability is present in /usr/lib/python3.12/site-packages/ray/jars/ray_dist.jar which bundles commons-lang3 3.13.0. This requires an upstream Ray release with commons-lang3 updated to 3.18.0. Ray 2.47.1 (latest as of June 2025) still uses the vulnerable version 3.13.0.
Status