[Aikido] Fix 14 security issues in json, puma, net-imap and 4 more

[aikido-autofix]

Upgrade dependencies to fix multiple security vulnerabilities: JSON heap corruption and DoS via buffer overflow, Puma PROXY protocol DoS and IP spoofing, Net::IMAP command injection, and SQLite3/msgpack/websocket-driver/psych vulnerabilities.

✅ 14 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2026-10977	LOW	[json] A heap buffer overflow vulnerability exists in the native generator when computing output buffer capacity for repeated indent/spacing strings, potentially causing memory corruption. Additionally, an unchecked depth option can cause denial of service through excessive nesting work.
AIKIDO-2026-10978	LOW	[json] A use-after-free vulnerability in JSON parsing allows concurrent mutation of the source string during parsing through Ruby-level hooks, potentially causing memory corruption and parsed value divergence. The patch freezes or copies the source buffer to prevent modification during parsing.
CVE-2026-47736	LOW	[puma] PROXY protocol v1 support allows attackers to send continuous bytes without CRLF terminators, causing unbounded memory growth and CPU consumption that can lead to process OOM or denial of service through a single unauthenticated TCP connection.
CVE-2026-47737	LOW	[puma] Source IP spoofing vulnerability when PROXY protocol v1 is enabled with persistent connections; attackers can inject malicious PROXY headers between keep-alive requests to spoof REMOTE_ADDR, potentially bypassing security controls like rate limiting or access lists.
CVE-2026-47240	LOW	[net-imap] A command injection vulnerability exists in IMAP commands that accept raw data arguments containing non-synchronizing literals, which can be exploited on servers lacking LITERAL+/LITERAL-/IMAP4rev2 support to inject arbitrary IMAP commands via CRLF sequences. This affects search, sort, thread, and fetch commands when processing unvalidated user-controlled input, potentially allowing unauthorized mailbox operations.
CVE-2026-47242	LOW	[net-imap] The #id and #enable commands fail to validate arguments, allowing attackers to inject arbitrary IMAP commands via CRLF sequences. This could enable unauthorized mailbox operations when untrusted input is passed to these commands.
CVE-2026-47241	LOW	[net-imap] A regex validation bypass in Net::IMAP allows attackers to inject literal continuation markers (like {0} or {0+}) into search, sort, fetch, and thread commands, causing command absorption and denial of service through hangs and timeouts. Multi-threaded environments are particularly vulnerable as subsequent commands may hang indefinitely waiting for responses.
AIKIDO-2026-11126	LOW	[sqlite3] A use-after-free vulnerability in aggregate function callbacks allows stepping prepared statements after database closure to trigger invalid memory reads and segmentation faults, causing denial of service in applications using custom aggregates.
AIKIDO-2026-11127	LOW	[sqlite3] User-defined SQLite functions with duplicate names and different argument counts can cause invalid memory reads and process crashes due to premature garbage collection of referenced Ruby blocks. This denial-of-service vulnerability affects applications using create_function or define_function.
AIKIDO-2026-11117	LOW	[msgpack] A use-after-free vulnerability in the Buffer clear method fails to reset cursor pointers, allowing freed memory pages to be reused and causing data corruption or information disclosure between buffers in the same process.
AIKIDO-2026-11128	LOW	[websocket-driver] A malicious peer can send endless high-bit-set bytes to cause unbounded memory consumption through arbitrarily growing integer parsing in draft WebSocket protocol handlers, leading to denial of service.
AIKIDO-2026-11129	LOW	[websocket-driver] An attacker can send unlimited HTTP headers during WebSocket handshakes, causing unbounded memory consumption and leading to denial of service. The vulnerability affects TCP-based server and client integrations by exhausting process memory through a never-ending header list.
AIKIDO-2026-11130	LOW	[websocket-driver] A vulnerability allows attackers to bypass message size limits by sending compressed frames that exceed the configured maximum after decompression, potentially causing excessive memory consumption. The fix validates message size after extension processing rather than before decompression.
AIKIDO-2026-11069	LOW	[psych] A heap out-of-bounds write vulnerability exists in the YAML parser's IO reader callback, which fails to validate the length of data returned by IO#read operations. This allows attackers to trigger a buffer overflow and achieve remote code execution through Psych.load, Psych.safe_load, or Psych.parse.

🔗 Related Tasks

• https://aikido.atlassian.net/browse/AIK-15325

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #305