[Aikido] Fix 23 security issues in nokogiri, concurrent-ruby, net-imap and 3 more

[aikido-autofix]

Upgrade dependencies to fix security vulnerabilities: Nokogiri ReDoS in CSS selectors (High), canonicalization bypass, memory leak, and bounds check bypass; concurrent-ruby, net-imap, sqlite3, websocket-driver, and psych patches.

✅ 23 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
GHSA-5prr-v3j2-97mh	LOW	[nokogiri] Out-of-bounds read vulnerability in NodeSet indexing allows attackers to pass large negative indices that bypass bounds checks, causing denial of service via process crash or potential memory disclosure. On CRuby, this results in an out-of-bounds read; on JRuby, it returns incorrect nodes.
GHSA-v2fc-qm4h-8hqv	LOW	[nokogiri] XSLT transform leaks small heap allocations when passed Ruby strings containing null bytes, potentially enabling denial of service attacks on long-running processes through sustained attacker-controlled input. Memory corruption and information disclosure do not occur.
GHSA-wx95-c6cv-8532	LOW	[nokogiri] Canonicalization failure in canonicalize methods returns empty string instead of raising an exception, allowing downstream libraries to accept invalid XML and bypass signature validation in SAML implementations.
GHSA-c4rq-3m3g-8wgx	LOW	[nokogiri] CSS selector tokenizer contains regular expressions vulnerable to ReDoS attacks on adversarial selectors, allowing attackers to cause exponential regex backtracking and denial of service through CSS parsing methods.
GHSA-8678-w3jw-xfc2	LOW	[nokogiri] JRuby implementation did not properly enforce the NONET parse option, allowing external resources to be fetched over the network and potentially enabling SSRF or XXE attacks on XML schemas parsed with default options.
GHSA-wfpw-mmfh-qq69	LOW	[nokogiri] XInclude substitution in do_xinclude freed nodes and namespaces that were already exposed to Ruby, leaving objects pointing at freed memory and causing potential invalid reads/writes. This affects CRuby only when XInclude is called after traversing the document tree.
GHSA-5v8h-3h3q-446p	LOW	[nokogiri] Setting an invalid encoding on a Document causes a use-after-free vulnerability, potentially leading to segfaults or memory disclosure. This requires an unusual API pattern of assigning invalid encoding, catching the exception, and continuing to use the document.
GHSA-9cv2-cfxc-v4v2	LOW	[nokogiri] NULL pointer dereference in native wrapper classes when calling methods on uninitialized objects allocated directly via .allocate, causing process crashes. This requires direct misuse of the API and cannot be triggered by untrusted input.
GHSA-p67v-3w7g-wjg7	LOW	[nokogiri] XPathContext did not keep its source document alive for garbage collection, potentially causing memory reads and segfaults if the document was collected while the context remained in use. This only affects direct XPathContext construction with an unreachable document; normal Document search methods are unaffected.
GHSA-phwj-rprq-35pp	LOW	[nokogiri] Use-after-free vulnerability in XML attribute value replacement that could cause a segfault when accessing previously-wrapped attribute child nodes. Requires unusual API usage pattern combining direct child node access with subsequent attribute value mutation.
GHSA-wjv4-x9w8-wm3h	LOW	[nokogiri] A heap use-after-free vulnerability exists when setting a non-element node (like a DTD) as the document root via Document#root=, potentially causing segfaults or invalid memory reads. The vulnerability requires programming error and cannot be triggered by untrusted input.
CVE-2026-54904	LOW	[concurrent-ruby] AtomicReference#update enters an infinite busy loop when the stored value is Float::NAN due to NaN comparison semantics, causing CPU exhaustion or permanent hangs in affected services.
CVE-2026-54905	LOW	[concurrent-ruby] ReentrantReadWriteLock incorrectly grants write locks after 32,768 reentrant read acquisitions due to integer overflow in lock state tracking, breaking mutual exclusion and allowing concurrent read/write access. This enables data corruption and race conditions.
CVE-2026-54906	LOW	[concurrent-ruby] A synchronization vulnerability allows any thread to release another thread's write lock, enabling concurrent write access violations. Additionally, releasing a read lock on a fresh lock corrupts the counter, preventing future read acquisitions.
CVE-2026-47240	LOW	[net-imap] A CRLF command injection vulnerability allows attackers to inject arbitrary IMAP commands through non-synchronizing literals when servers lack support for this feature, affecting search, sort, thread, and fetch operations. This enables remote code execution or unauthorized actions on IMAP servers.
CVE-2026-47242	LOW	[net-imap] Command injection vulnerability in the id and enable methods allows attackers to inject arbitrary IMAP commands through unvalidated CRLF sequences and atom values. This enables remote code execution or unauthorized actions on the IMAP server.
CVE-2026-47241	LOW	[net-imap] Net::IMAP's insufficient validation of raw string arguments allows attackers to inject commands that are absorbed as continuations, causing commands to hang indefinitely and preventing proper responses. This results in a denial of service through connection blocking.
AIKIDO-2026-11126	LOW	[sqlite3] A use-after-free vulnerability in aggregate function callbacks allows stepping prepared statements after database closure to trigger invalid memory reads and segmentation faults, causing denial of service in applications using custom aggregates.
AIKIDO-2026-11127	LOW	[sqlite3] User-defined SQLite functions with duplicate names and different argument counts can cause invalid memory reads and process crashes due to premature garbage collection of referenced Ruby blocks. This denial-of-service vulnerability affects applications using create_function or define_function.
AIKIDO-2026-11128	LOW	[websocket-driver] A malicious peer can send endless high-bit-set bytes to cause unbounded memory consumption through arbitrarily growing integer parsing in draft WebSocket protocol handlers, leading to denial of service.
AIKIDO-2026-11129	LOW	[websocket-driver] An attacker can send unlimited HTTP headers during WebSocket handshakes, causing unbounded memory consumption and leading to denial of service. The vulnerability affects TCP-based server and client integrations by exhausting process memory through a never-ending header list.
AIKIDO-2026-11130	LOW	[websocket-driver] A vulnerability allows attackers to bypass message size limits by sending compressed frames that exceed the configured maximum after decompression, potentially causing excessive memory consumption. The fix validates message size after extension processing rather than before decompression.
AIKIDO-2026-11069	LOW	[psych] A heap out-of-bounds write vulnerability exists in the YAML parser's IO reader callback, which fails to validate the length of data returned by IO#read operations. This allows attackers to trigger a buffer overflow and achieve remote code execution through Psych.load, Psych.safe_load, or Psych.parse.

🔗 Related Tasks

• https://aikido.atlassian.net/browse/AIK-16022

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #318