Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-61921

Good to know:

icon
icon

Date: October 10, 2025

Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the "If-Match" and "If-None-Match" header parsing component of Sinatra, if the "etag" method is used when constructing the response. Carefully crafted input can cause "If-Match" and "If-None-Match" header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the "ETag" header value. Any applications that use the "etag" method when generating a response are impacted. Version 4.2.0 fixes the issue.

Severity Score

Related Resources (10)

https://github.com/sinatra/sinatra
https://bugs.ruby-lang.org/issues/19104
https://github.com/sinatra/sinatra/security/advisories/GHSA-mr3q-g2mv-mr4q
https://nvd.nist.gov/vuln/detail/CVE-2025-61921
https://github.com/sinatra/sinatra/issues/2120
https://github.com/sinatra/sinatra/pull/1823
https://github.com/sinatra/sinatra/pull/2121
https://github.com/sinatra/sinatra/commit/3fe8c38dc405586f7ad8f2ac748aa53e9c3615bd
https://github.com/sinatra/sinatra/commit/8ff496bd4877520599e1479d6efead39304edceb
https://www.mend.io/vulnerability-database/CVE-2025-61921

Severity Score

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

icon

Upgrade Version

Upgrade to version sinatra - 4.2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): LOW

Do you need more information?

Contact Us