CVE-2025-61921
Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the If-Match and If-None-Match header parsing component of Sinatra, if the etag method is used when constructing the response. Carefully crafted input can cause If-Match and If-None-Match header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the ETag header value. Any applications that use the etag method when generating a response are impacted. Version 4.2.0 fixes the issue.
| Software | From | Fixed in |
|---|---|---|
sinatra
|
- | 4.2.0 |
| sinatrarb / sinatra | - | 4.2.0 |
- https://bugs.ruby-lang.org/issues/19104
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2025-61921.yml
- https://github.com/sinatra/sinatra/commit/3fe8c38dc405586f7ad8f2ac748aa53e9c3615bd
- https://github.com/sinatra/sinatra/commit/8ff496bd4877520599e1479d6efead39304edceb
- https://github.com/sinatra/sinatra/issues/2120
- https://github.com/sinatra/sinatra/pull/1823
- https://github.com/sinatra/sinatra/pull/2121
- https://github.com/sinatra/sinatra/security/advisories/GHSA-mr3q-g2mv-mr4q
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime