CVE-2025-61921
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-10-31

Assigner: GitHub, Inc.

Description
Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the response. Carefully crafted input can cause `If-Match` and `If-None-Match` header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the `ETag` header value. Any applications that use the `etag` method when generating a response are impacted. Version 4.2.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-10-31
Generated
2026-06-16
AI Q&A
2025-10-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-61921
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sinatrarb sinatra to 4.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a denial of service issue in Sinatra versions prior to 4.2.0 related to how the framework parses the 'If-Match' and 'If-None-Match' HTTP headers when the 'etag' method is used to generate responses. Maliciously crafted input can cause the header parsing to take an unexpectedly long time, potentially allowing an attacker to exhaust server resources and cause a denial of service.

Impact Analysis

If your application uses Sinatra versions before 4.2.0 and employs the 'etag' method to generate responses, an attacker could exploit this vulnerability by sending specially crafted 'If-Match' or 'If-None-Match' headers. This can cause the server to spend excessive time parsing these headers, leading to degraded performance or denial of service, making your application unavailable to legitimate users.

Mitigation Strategies

Upgrade Sinatra to version 4.2.0 or later, as this version fixes the denial of service vulnerability related to the If-Match and If-None-Match header parsing when using the etag method.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61921. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart