Sinatra has ReDoS vulnerability in ETag header value generation
Description
Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the If-Match and If-None-Match header parsing component of Sinatra, if the etag method is used when constructing the response. Carefully crafted input can cause If-Match and If-None-Match header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the ETag header value. Any applications that use the etag method when generating a response are impacted. Version 4.2.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sinatraRubyGems | < 4.2.0 | 4.2.0 |
Affected products
41- osv-coords40 versionspkg:apk/chainguard/gitlab-cng-18.9pkg:apk/chainguard/gitlab-exporter-18.11pkg:apk/chainguard/gitlab-exporter-18.9pkg:apk/chainguard/gitlab-exporter-19.0pkg:apk/chainguard/logstash-8.17pkg:apk/chainguard/logstash-8.17-bitnami-compatpkg:apk/chainguard/logstash-8.17-compatpkg:apk/chainguard/logstash-8.17-env2yamlpkg:apk/chainguard/logstash-8.17-iamguarded-compatpkg:apk/chainguard/logstash-8.17-with-output-opensearchpkg:apk/chainguard/logstash-8.18pkg:apk/chainguard/logstash-8.18-bitnami-compatpkg:apk/chainguard/logstash-8.18-compatpkg:apk/chainguard/logstash-8.18-env2yamlpkg:apk/chainguard/logstash-8.18-iamguarded-compatpkg:apk/chainguard/logstash-8.18-with-output-opensearchpkg:apk/chainguard/logstash-8.19pkg:apk/chainguard/logstash-8.19-compatpkg:apk/chainguard/logstash-8.19-env2yamlpkg:apk/chainguard/logstash-8.19-iamguarded-compatpkg:apk/chainguard/logstash-8.19-with-output-opensearchpkg:apk/chainguard/logstash-9.0pkg:apk/chainguard/logstash-9.0-bitnami-compatpkg:apk/chainguard/logstash-9.0-compatpkg:apk/chainguard/logstash-9.0-env2yamlpkg:apk/chainguard/logstash-9.0-iamguarded-compatpkg:apk/chainguard/logstash-9.0-with-output-opensearchpkg:apk/chainguard/logstash-9.1pkg:apk/chainguard/logstash-9.1-bitnami-compatpkg:apk/chainguard/logstash-9.1-compatpkg:apk/chainguard/logstash-9.1-env2yamlpkg:apk/chainguard/logstash-9.1-iamguarded-compatpkg:apk/chainguard/logstash-9.1-with-output-opensearchpkg:apk/wolfi/logstash-9.1pkg:apk/wolfi/logstash-9.1-bitnami-compatpkg:apk/wolfi/logstash-9.1-compatpkg:apk/wolfi/logstash-9.1-env2yamlpkg:apk/wolfi/logstash-9.1-iamguarded-compatpkg:apk/wolfi/logstash-9.1-with-output-opensearchpkg:gem/sinatra
< 18.9.1-r0+ 39 more
- (no CPE)range: < 18.9.1-r0
- (no CPE)range: < 18.11.5-r2
- (no CPE)range: < 18.9.5-r0
- (no CPE)range: < 19.0.2-r1
- (no CPE)range: < 8.17.10-r4
- (no CPE)range: < 8.17.10-r4
- (no CPE)range: < 8.17.10-r4
- (no CPE)range: < 8.17.10-r4
- (no CPE)range: < 8.17.10-r4
- (no CPE)range: < 8.17.10-r4
- (no CPE)range: < 8.18.8-r2
- (no CPE)range: < 8.18.8-r2
- (no CPE)range: < 8.18.8-r2
- (no CPE)range: < 8.18.8-r2
- (no CPE)range: < 8.18.8-r2
- (no CPE)range: < 8.18.8-r2
- (no CPE)range: < 8.19.5-r2
- (no CPE)range: < 8.19.5-r2
- (no CPE)range: < 8.19.5-r2
- (no CPE)range: < 8.19.5-r2
- (no CPE)range: < 8.19.5-r2
- (no CPE)range: < 9.0.8-r2
- (no CPE)range: < 9.0.8-r2
- (no CPE)range: < 9.0.8-r2
- (no CPE)range: < 9.0.8-r2
- (no CPE)range: < 9.0.8-r2
- (no CPE)range: < 9.0.8-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 9.1.5-r2
- (no CPE)range: < 4.2.0
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-mr3q-g2mv-mr4qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61921ghsaADVISORY
- bugs.ruby-lang.org/issues/19104ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2025-61921.ymlghsaWEB
- github.com/sinatra/sinatra/commit/3fe8c38dc405586f7ad8f2ac748aa53e9c3615bdghsaWEB
- github.com/sinatra/sinatra/commit/8ff496bd4877520599e1479d6efead39304edcebghsaWEB
- github.com/sinatra/sinatra/issues/2120ghsax_refsource_MISCWEB
- github.com/sinatra/sinatra/pull/1823ghsax_refsource_MISCWEB
- github.com/sinatra/sinatra/pull/2121ghsax_refsource_MISCWEB
- github.com/sinatra/sinatra/security/advisories/GHSA-mr3q-g2mv-mr4qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.