RubyGems package
sinatra
pkg:gem/sinatra
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-61921 | — | < 4.2.0 | 4.2.0 | Oct 10, 2025 | Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the respon | ||
| CVE-2024-21510 | Med | 5.4 | < 4.1.0 | 4.1.0 | Nov 1, 2024 | Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbit | |
| CVE-2022-45442 | — | >= 3.0, < 3.0.4 | 3.0.4 | Nov 28, 2022 | Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response whe | ||
| CVE-2022-29970 | — | < 2.2.0 | 2.2.0 | May 2, 2022 | Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. | ||
| CVE-2018-11627 | — | >= 2.0.0, < 2.0.2 | 2.0.2 | May 31, 2018 | Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception. | ||
| CVE-2018-7212 | — | >= 2.0.0.beta1, < 2.0.1 | 2.0.1 | Feb 18, 2018 | An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters. |
- CVE-2025-61921Oct 10, 2025affected < 4.2.0fixed 4.2.0
Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the respon
- affected < 4.1.0fixed 4.1.0
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbit
- CVE-2022-45442Nov 28, 2022affected >= 3.0, < 3.0.4fixed 3.0.4
Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response whe
- CVE-2022-29970May 2, 2022affected < 2.2.0fixed 2.2.0
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
- CVE-2018-11627May 31, 2018affected >= 2.0.0, < 2.0.2fixed 2.0.2
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
- CVE-2018-7212Feb 18, 2018affected >= 2.0.0.beta1, < 2.0.1fixed 2.0.1
An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.