sinatra 4.1.1
Sinatra is vulnerable to ReDoS through ETag header value generation
low severity CVE-2025-61921>= 4.2.0
Summary
There is a denial of service vulnerability in the If-Match and
If-None-Match header parsing component of Sinatra, if the etag
method is used when constructing the response and you are using Ruby < 3.2.
Details
Carefully crafted input can cause If-Match and If-None-Match
header parsing in Sinatra to take an unexpected amount of time,
possibly resulting in a denial of service attack vector. This header
is typically involved in generating the ETag header value. Any
applications that use the etag method when generating a response
are impacted if they are using Ruby below version 3.2.
Resources
- https://github.com/sinatra/sinatra/issues/2120 (report)
- https://github.com/sinatra/sinatra/pull/2121 (fix)
- https://github.com/sinatra/sinatra/pull/1823 (older ReDoS vulnerability)
- https://bugs.ruby-lang.org/issues/19104 (fix in Ruby >= 3.2)
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.