Skip to content

CVE-2026-54904 (High) detected in concurrent-ruby-1.3.5.gem #288

Description

@mend-bolt-for-github

CVE-2026-54904 - High Severity Vulnerability

Vulnerable Library - concurrent-ruby-1.3.5.gem

Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.

Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/cache/concurrent-ruby-1.3.5.gem

Dependency Hierarchy:

  • manageiq-style-1.3.3.gem (Root Library)
    • more_core_extensions-4.5.1.gem
      • activesupport-8.0.2.gem
        • concurrent-ruby-1.3.5.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.

Publish Date: 2026-06-24

URL: CVE-2026-54904

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-06-19

Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7


Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions