CVE-2025-61921

Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the If-Match and If-None-Match header parsing component of Sinatra, if the etag method is used when constructing the response. Carefully crafted input can cause If-Match and If-None-Match header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the ETag header value. Any applications that use the etag method when generating a response are impacted. Version 4.2.0 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-1333"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/61xxx/CVE-2025-61921.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/sinatra/sinatra

Affected ranges

Type: GIT
Repo: https://github.com/sinatra/sinatra
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f2ad45f7d2456172974a30d300e9f82424336e09

Affected versions

0.*

0.0.1

0.1.0

0.1.5

0.1.6

0.1.7

0.2.0

0.2.2

0.3.0

0.3.1

0.3.2

0.3.3

0.9.0.1

0.9.0.2

0.9.1

0.9.1.1

0.9.2

1.*

1.0

1.0.a

1.0.b

1.1.0

1.1.a

1.1.b

1.2.0

1.2.0.a

1.2.0.b

1.2.0.c

1.2.0.d

1.2.1

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.4.3

2.*

2.0.0.rc3

2.0.0.rc4

2.0.0.rc5

Other

semver

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v2.*

v2.0.0

v2.0.0.beta2

v2.0.0.rc1

v2.0.0.rc2

v2.0.0.rc3

v2.0.0.rc4

v2.0.0.rc5

v2.0.0.rc6

v2.0.1

v2.0.1.rc1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.8.1

v2.1.0

v2.2.0

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.1.0

v3.2.0

v4.*

v4.0.0

v4.1.0

v4.1.1