Skip to content

concurrent-ruby-1.3.3.gem: 3 vulnerabilities (highest severity is: 7.5) #232

Description

@appcues-wss
Vulnerable Library - concurrent-ruby-1.3.3.gem

Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.

Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.3.gem

Path to dependency file: /example/Gemfile.lock

Path to vulnerable library: /example/Gemfile.lock

Found in HEAD commit: 3db7a414c18649ac89b74bbea1ae5f8072fd142d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (concurrent-ruby version) Remediation Possible**
CVE-2026-54904 High 7.5 concurrent-ruby-1.3.3.gem Direct https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
CVE-2026-54905 Medium 5.3 concurrent-ruby-1.3.3.gem Direct https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
CVE-2026-54906 Medium 4.0 concurrent-ruby-1.3.3.gem Direct https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-54904

Vulnerable Library - concurrent-ruby-1.3.3.gem

Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.

Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.3.gem

Path to dependency file: /example/Gemfile.lock

Path to vulnerable library: /example/Gemfile.lock

Dependency Hierarchy:

  • concurrent-ruby-1.3.3.gem (Vulnerable Library)

Found in HEAD commit: 3db7a414c18649ac89b74bbea1ae5f8072fd142d

Found in base branch: main

Vulnerability Details

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.

Publish Date: 2026-06-24

URL: CVE-2026-54904

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: ruby-concurrency/concurrent-ruby@6e37e06

Release Date: 2026-06-19

Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2026-54905

Vulnerable Library - concurrent-ruby-1.3.3.gem

Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.

Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.3.gem

Path to dependency file: /example/Gemfile.lock

Path to vulnerable library: /example/Gemfile.lock

Dependency Hierarchy:

  • concurrent-ruby-1.3.3.gem (Vulnerable Library)

Found in HEAD commit: 3db7a414c18649ac89b74bbea1ae5f8072fd142d

Found in base branch: main

Vulnerability Details

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.

Publish Date: 2026-06-24

URL: CVE-2026-54905

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: ruby-concurrency/concurrent-ruby@7e4d711

Release Date: 2026-06-19

Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2026-54906

Vulnerable Library - concurrent-ruby-1.3.3.gem

Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.

Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.3.gem

Path to dependency file: /example/Gemfile.lock

Path to vulnerable library: /example/Gemfile.lock

Dependency Hierarchy:

  • concurrent-ruby-1.3.3.gem (Vulnerable Library)

Found in HEAD commit: 3db7a414c18649ac89b74bbea1ae5f8072fd142d

Found in base branch: main

Vulnerability Details

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.

Publish Date: 2026-06-24

URL: CVE-2026-54906

CVSS 3 Score Details (4.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: ruby-concurrency/concurrent-ruby@3fd4932

Release Date: 2026-06-19

Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7

⛑️ Automatic Remediation will be attempted for this issue.


⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions