cvedb.io
CVE-2025-61921
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2025-10-10T20:15:38.067 · Last modified 2026-06-17T09:51:04.733

Summary

Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the response. Carefully crafted input can cause `If-Match` and `If-None-Match` header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the `ETag` header value. Any applications that use the `etag` method when generating a response are impacted. Version 4.2.0 fixes the issue.

Affected products

sinatrarb — sinatra

Does this affect you?

Add your gear to cvedb and we'll alert you only when sinatrarb ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.