Sinatra has ReDoS vulnerability in ETag header value generation
Description
Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the If-Match and If-None-Match header parsing component of Sinatra, if the etag method is used when constructing the response. Carefully crafted input can cause If-Match and If-None-Match header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the ETag header value. Any applications that use the etag method when generating a response are impacted. Version 4.2.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sinatra 4.1.1 and earlier has a ReDoS vulnerability in the `If-Match` and `If-None-Match` header parser when the `etag` method is used, leading to denial of service.
Vulnerability
CVE-2025-61921 is a denial-of-service vulnerability in the Sinatra web framework for Ruby, affecting versions prior to 4.2.0. The bug resides in the parsing of If-Match and If-None-Match HTTP headers when the application uses the etag method to generate response ETags [2]. The root cause is a regular expression that exhibits catastrophic backtracking, a classic ReDoS (Regular Expression Denial of Service) pattern [4].
Exploitation
An attacker can exploit this vulnerability by sending a crafted If-Match or If-None-Match header to a Sinatra endpoint that utilizes the etag method [2]. No prior authentication is required; the attack is purely network-based, sending a specially crafted input can cause the header parser to take an exponentially long time, overwhelming the server's request-handling capacity [2].
Impact
Successful exploitation leads to a denial of service condition. The targeted Sinatra application becomes unresponsive to legitimate requests, impacting availability. The vulnerability is network-triggerable without authentication, making it a practical vector for disrupting web services [2].
Mitigation
The vulnerability is fixed in Sinatra version 4.2.0 [2]. The fix addresses the ReDoS in the regex used by etag_matches? [3]. All users running versions prior to 4.2.0 who use the etag method should upgrade immediately. There is no known workaround; upgrading is the only complete mitigation [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sinatraRubyGems | < 4.2.0 | 4.2.0 |
Affected products
2- sinatra/sinatrav5Range: < 4.2.0
Patches
23fe8c38dc405Fix regex in `etag_matches?` to prevent ReDoS (#2121)
1 file changed · +1 −1
lib/sinatra/base.rb+1 −1 modified@@ -711,7 +711,7 @@ def time_for(value) def etag_matches?(list, new_resource = request.post?) return !new_resource if list == '*' - list.to_s.split(/\s*,\s*/).include? response['ETag'] + list.to_s.split(',').map(&:strip).include?(response['ETag']) end def with_params(temp_params)
8ff496bd4877Merge pull request #1823 from ooooooo-q/fix/redos
1 file changed · +1 −1
rack-protection/lib/rack/protection/ip_spoofing.rb+1 −1 modified@@ -16,7 +16,7 @@ class IPSpoofing < Base def accepts?(env) return true unless env.include? 'HTTP_X_FORWARDED_FOR' - ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/) + ips = env['HTTP_X_FORWARDED_FOR'].split(',').map(&:strip) return false if env.include?('HTTP_CLIENT_IP') && (!ips.include? env['HTTP_CLIENT_IP']) return false if env.include?('HTTP_X_REAL_IP') && (!ips.include? env['HTTP_X_REAL_IP'])
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-mr3q-g2mv-mr4qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61921ghsaADVISORY
- bugs.ruby-lang.org/issues/19104ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2025-61921.ymlghsaWEB
- github.com/sinatra/sinatra/commit/3fe8c38dc405586f7ad8f2ac748aa53e9c3615bdghsaWEB
- github.com/sinatra/sinatra/commit/8ff496bd4877520599e1479d6efead39304edcebghsaWEB
- github.com/sinatra/sinatra/issues/2120ghsax_refsource_MISCWEB
- github.com/sinatra/sinatra/pull/1823ghsax_refsource_MISCWEB
- github.com/sinatra/sinatra/pull/2121ghsax_refsource_MISCWEB
- github.com/sinatra/sinatra/security/advisories/GHSA-mr3q-g2mv-mr4qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.