CVE-2025-61921
BaseFortify
Publication date: 2025-10-10
Last updated on: 2025-10-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sinatrarb | sinatra | to 4.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a denial of service issue in Sinatra versions prior to 4.2.0 related to how the framework parses the 'If-Match' and 'If-None-Match' HTTP headers when the 'etag' method is used to generate responses. Maliciously crafted input can cause the header parsing to take an unexpectedly long time, potentially allowing an attacker to exhaust server resources and cause a denial of service.
How can this vulnerability impact me? :
If your application uses Sinatra versions before 4.2.0 and employs the 'etag' method to generate responses, an attacker could exploit this vulnerability by sending specially crafted 'If-Match' or 'If-None-Match' headers. This can cause the server to spend excessive time parsing these headers, leading to degraded performance or denial of service, making your application unavailable to legitimate users.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Sinatra to version 4.2.0 or later, as this version fixes the denial of service vulnerability related to the If-Match and If-None-Match header parsing when using the etag method.