Denial of Service Vulnerability in Sinatra Web Framework from Ruby
CVE-2025-61921

2.7LOW

Key Information:

Vendor

Sinatra

Status
Sinatra
Vendor
CVE Published:
10 October 2025

What is CVE-2025-61921?

Sinatra, a Ruby framework for web applications, contains a vulnerability related to the parsing of If-Match and If-None-Match headers prior to version 4.2.0. When applications utilize the etag method in their responses, specially crafted input may lead to a significant delay in the processing of these headers, potentially exposing web services to denial of service attacks. This vulnerability affects all applications relying on these headers for response generation, highlighting the critical need for upgrading to version 4.2.0 or later to mitigate such risks.

Affected Version(s)

sinatra < 4.2.0

References

https://github.com/sinatra/sinatra/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/sinatra/sinatra/issues/2120
x_refsource_MISC
https://github.com/sinatra/sinatra/pull/1823
x_refsource_MISC

CVSS V4

Score:
2.7
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61921 : Denial of Service Vulnerability in Sinatra Web Framework from Ruby