CVE-2025-61921 — Regex Denial of Service in Sinatra

CWE-1333 — Regex Denial of Service CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

2.7LOWNVD

EPSS

0.4%

top 39.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sinatra Sinatrarb Sinatra

Timeline

PublishedOct 10

Description

Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the response. Carefully crafted input can cause `If-Match` and `If-None-Match` header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically invol…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

▶CVEListV5sinatra/sinatra< 4.2.0

▶RubyGemssinatra/sinatra< 4.2.0

▶NVDsinatrarb/sinatra< 4.2.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Sinatra is vulnerable to ReDoS through ETag header value generation↗2025-10-10

▶

OSV

CVE-2025-61921: Sinatra is a domain-specific language for creating web applications in Ruby↗2025-10-10

▶

CVEList

Sinatra has ReDoS vulnerability in ETag header value generation↗2025-10-10

▶

OSV

Sinatra is vulnerable to ReDoS through ETag header value generation↗2025-10-10

▶

📋Vendor Advisories

Red Hat

sinatra: Sinatra has ReDoS vulnerability in ETag header value generation↗2025-10-10

▶

Debian

CVE-2025-61921: ruby-sinatra - Sinatra is a domain-specific language for creating web applications in Ruby. In ...↗2025

▶