[Aikido] Fix 23 security issues in concurrent-ruby, nokogiri, net-imap and 3 more

[aikido-autofix]

Upgrade concurrent-ruby, nokogiri, net-imap, sqlite3, websocket-driver, and psych to fix DoS vulnerabilities including infinite retry loops, lock state corruption, and memory leaks.

✅ 23 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-54904	MEDIUM	[concurrent-ruby] AtomicReference#update enters an infinite busy loop when the stored value is Float::NAN due to NaN's self-inequality, causing CPU exhaustion and permanent hangs in applications storing numeric data.
CVE-2026-54906	LOW	[concurrent-ruby] release_write_lock fails to verify the calling thread owns the lock, allowing any thread to release it and enable concurrent writers; release_read_lock unconditionally decrements the counter, corrupting the lock state and causing subsequent read acquisitions to fail with ResourceLimitError.
CVE-2026-54905	LOW	[concurrent-ruby] A bit overflow in ReentrantReadWriteLock's per-thread hold counter allows a write lock to be incorrectly granted after 32,768 reentrant read acquisitions, breaking mutual exclusion and enabling concurrent read access during claimed write lock ownership. This can lead to data races and inconsistent reads of protected state.
GHSA-5prr-v3j2-97mh	LOW	[nokogiri] Out-of-bounds read vulnerability in NodeSet indexing allows attackers to cause denial of service or memory disclosure by passing large negative indices that bypass bounds checking. The vulnerability affects CRuby (crashes/memory leak) but not JRuby.
GHSA-v2fc-qm4h-8hqv	LOW	[nokogiri] XSLT transform leaks small heap allocations when passed Ruby strings containing null bytes, potentially enabling denial of service attacks on long-running processes through sustained attacker-controlled input. Memory corruption and information disclosure do not occur.
GHSA-wx95-c6cv-8532	LOW	[nokogiri] Canonicalization failure in canonicalize methods returns empty string instead of raising an exception, allowing downstream libraries to accept invalid XML and bypass signature validation in SAML implementations.
GHSA-c4rq-3m3g-8wgx	LOW	[nokogiri] CSS selector tokenizer contains regular expressions vulnerable to ReDoS attacks on adversarial selectors, allowing attackers to cause exponential regex backtracking and denial of service through CSS parsing methods.
GHSA-8678-w3jw-xfc2	LOW	[nokogiri] JRuby implementation did not properly enforce the NONET parse option, allowing external resources to be fetched over the network and potentially enabling SSRF or XXE attacks. This bypass of a previous security fix has been remedied by replacing the scheme denylist with an allowlist.
GHSA-wfpw-mmfh-qq69	LOW	[nokogiri] XInclude substitution in do_xinclude freed memory containing nodes and namespaces already exposed to Ruby, causing use-after-free vulnerabilities. This could result in invalid memory reads or writes when using the freed objects.
GHSA-5v8h-3h3q-446p	LOW	[nokogiri] Setting an invalid encoding on a Document leaves it referencing freed memory, potentially causing a segfault or information disclosure on subsequent encoding access. This requires unusual API usage with invalid encoding values followed by continued document use.
GHSA-9cv2-cfxc-v4v2	LOW	[nokogiri] A NULL pointer dereference vulnerability occurs when calling methods on uninitialized native wrapper classes inheriting from Nokogiri::XML::Node, potentially causing process crashes. This requires direct misuse of .allocate() and cannot be triggered through normal API usage or untrusted input.
GHSA-p67v-3w7g-wjg7	LOW	[nokogiri] XPathContext fails to keep its source document alive during garbage collection, potentially causing memory reads and segfaults if the document is collected while the context is still in use. This only affects direct XPathContext construction and does not impact normal Document search methods.
GHSA-phwj-rprq-35pp	LOW	[nokogiri] A use-after-free vulnerability in the CRuby native extension could cause a segfault when replacing an XML attribute value after accessing its child node, leaving a wrapper pointing to freed memory. This requires unusual API usage patterns and is mitigated by preserving wrapped attribute child nodes before value replacement.
GHSA-wjv4-x9w8-wm3h	LOW	[nokogiri] A heap use-after-free vulnerability exists when a DTD node is set as the document root via Document#root=, potentially causing invalid memory reads or segfaults during garbage collection. The vulnerability requires programming error and cannot be triggered by untrusted input.
CVE-2026-47240	LOW	[net-imap] A command injection vulnerability exists in IMAP commands that accept raw data arguments containing non-synchronizing literals, which can be exploited on servers lacking LITERAL+/LITERAL-/IMAP4rev2 support to inject arbitrary IMAP commands via CRLF sequences. This affects search, sort, thread, and fetch commands when processing unvalidated user-controlled input, potentially allowing unauthorized mailbox operations.
CVE-2026-47242	LOW	[net-imap] The #id and #enable commands fail to validate arguments, allowing attackers to inject arbitrary IMAP commands via CRLF sequences. This could enable unauthorized mailbox operations when untrusted input is passed to these commands.
CVE-2026-47241	LOW	[net-imap] A regex validation bypass in Net::IMAP allows attackers to inject literal continuation markers (like {0} or {0+}) into search, sort, fetch, and thread commands, causing command absorption and denial of service through hangs and timeouts. Multi-threaded environments are particularly vulnerable as subsequent commands may hang indefinitely waiting for responses.
AIKIDO-2026-11126	LOW	[sqlite3] A use-after-free vulnerability in aggregate function callbacks allows stepping prepared statements after database closure to trigger invalid memory reads and segmentation faults, causing denial of service in applications using custom aggregates.
AIKIDO-2026-11127	LOW	[sqlite3] User-defined SQLite functions with duplicate names and different argument counts can cause invalid memory reads and process crashes due to premature garbage collection of referenced Ruby blocks. This denial-of-service vulnerability affects applications using create_function or define_function.
AIKIDO-2026-11128	LOW	[websocket-driver] A malicious peer can send endless high-bit-set bytes to cause unbounded memory consumption through arbitrarily growing integer parsing in draft WebSocket protocol handlers, leading to denial of service.
AIKIDO-2026-11129	LOW	[websocket-driver] An attacker can send unlimited HTTP headers during WebSocket handshakes, causing unbounded memory consumption and leading to denial of service. The vulnerability affects TCP-based server and client integrations by exhausting process memory through a never-ending header list.
AIKIDO-2026-11130	LOW	[websocket-driver] A vulnerability allows attackers to bypass message size limits by sending compressed frames that exceed the configured maximum after decompression, potentially causing excessive memory consumption. The fix validates message size after extension processing rather than before decompression.
AIKIDO-2026-11069	LOW	[psych] A heap out-of-bounds write vulnerability exists in the YAML parser's IO reader callback, which fails to validate the length of data returned by IO#read operations. This allows attackers to trigger a buffer overflow and achieve remote code execution through Psych.load, Psych.safe_load, or Psych.parse.

🔗 Related Tasks

• https://aikido.atlassian.net/browse/AIK-15553

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!