Vulnerable Library - money-rails-3.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/concurrent-ruby-1.3.6.gem
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (money-rails version) |
Remediation Possible** |
| CVE-2026-54904 |
 High |
7.5 |
concurrent-ruby-1.3.6.gem |
Transitive |
N/A* |
❌ |
| CVE-2026-54905 |
 Medium |
5.3 |
concurrent-ruby-1.3.6.gem |
Transitive |
N/A* |
❌ |
| CVE-2026-54906 |
Medium |
4.0 |
concurrent-ruby-1.3.6.gem |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-54904
Vulnerable Library - concurrent-ruby-1.3.6.gem
Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more.
Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.
Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/concurrent-ruby-1.3.6.gem
Dependency Hierarchy:
- money-rails-3.0.0.gem (Root Library)
- money-7.0.2.gem
- i18n-1.14.8.gem
- ❌ concurrent-ruby-1.3.6.gem (Vulnerable Library)
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.
Publish Date: 2026-06-24
URL: CVE-2026-54904
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-19
Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
Step up your Open Source Security Game with Mend here
CVE-2026-54905
Vulnerable Library - concurrent-ruby-1.3.6.gem
Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more.
Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.
Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/concurrent-ruby-1.3.6.gem
Dependency Hierarchy:
- money-rails-3.0.0.gem (Root Library)
- money-7.0.2.gem
- i18n-1.14.8.gem
- ❌ concurrent-ruby-1.3.6.gem (Vulnerable Library)
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
Publish Date: 2026-06-24
URL: CVE-2026-54905
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-19
Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
Step up your Open Source Security Game with Mend here
CVE-2026-54906
Vulnerable Library - concurrent-ruby-1.3.6.gem
Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more.
Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.
Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/concurrent-ruby-1.3.6.gem
Dependency Hierarchy:
- money-rails-3.0.0.gem (Root Library)
- money-7.0.2.gem
- i18n-1.14.8.gem
- ❌ concurrent-ruby-1.3.6.gem (Vulnerable Library)
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.
Publish Date: 2026-06-24
URL: CVE-2026-54906
CVSS 3 Score Details (4.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-19
Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
Step up your Open Source Security Game with Mend here
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/concurrent-ruby-1.3.6.gem
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - concurrent-ruby-1.3.6.gem
Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.
Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/concurrent-ruby-1.3.6.gem
Dependency Hierarchy:
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.
Publish Date: 2026-06-24
URL: CVE-2026-54904
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-19
Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - concurrent-ruby-1.3.6.gem
Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.
Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/concurrent-ruby-1.3.6.gem
Dependency Hierarchy:
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
Publish Date: 2026-06-24
URL: CVE-2026-54905
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-19
Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - concurrent-ruby-1.3.6.gem
Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.
Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/concurrent-ruby-1.3.6.gem
Dependency Hierarchy:
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.
Publish Date: 2026-06-24
URL: CVE-2026-54906
CVSS 3 Score Details (4.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-19
Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
Step up your Open Source Security Game with Mend here