CVE-2025-61921
Denial of Service vulnerability in sinatra (RubyGems)
What is CVE-2025-61921 About?
This denial of service vulnerability exists in Sinatra's 'If-Match' and 'If-None-Match' header parsing when the 'etag' method is used and Ruby versions below 3.2 are in use. Carefully crafted input can cause excessive processing time, leading to a denial of service. Exploitation requires specific HTTP header manipulation.
Affected Software
Technical Details
The vulnerability is a Denial of Service (DoS) due to inefficient parsing of 'If-Match' and 'If-None-Match' HTTP headers within Sinatra, specifically when using the 'etag' method for response generation and running Ruby versions older than 3.2. Carefully crafted input in these headers, likely involving complex or repetitive patterns, can trigger a Regular Expression Denial of Service (ReDoS) or similar resource-exhausting operation during the header parsing process. This prolonged processing consumes server resources, preventing the server from handling legitimate requests and resulting in a denial of service.
What is the Impact of CVE-2025-61921?
Successful exploitation may allow attackers to degrade application performance, render services unavailable, or cause a complete shutdown of the affected system, disrupting legitimate user access and business operations.
What is the Exploitability of CVE-2025-61921?
Exploitation is of medium complexity, as it requires knowledge of the If-Match and If-None-Match header parsing logic and the ability to craft input that triggers resource exhaustion. No authentication or special privileges are required; an attacker simply needs to be able to send HTTP requests to a vulnerable Sinatra application. This is a remote vulnerability. The key conditions for exploitation are the use of the etag method in Sinatra responses and the application running on a Ruby version older than 3.2. These factors significantly increase the risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-61921?
Available Upgrade Options
- sinatra
- <4.2.0 → Upgrade to 4.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sinatra/sinatra/security/advisories/GHSA-mr3q-g2mv-mr4q
- https://github.com/sinatra/sinatra/commit/3fe8c38dc405586f7ad8f2ac748aa53e9c3615bd
- https://github.com/sinatra/sinatra/issues/2120
- https://osv.dev/vulnerability/GHSA-mr3q-g2mv-mr4q
- https://github.com/sinatra/sinatra/issues/2120
- https://bugs.ruby-lang.org/issues/19104
- https://github.com/sinatra/sinatra/commit/8ff496bd4877520599e1479d6efead39304edceb
- https://nvd.nist.gov/vuln/detail/CVE-2025-61921
- https://github.com/sinatra/sinatra/pull/1823
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2025-61921.yml
What are Similar Vulnerabilities to CVE-2025-61921?
Similar Vulnerabilities: CVE-2023-22799 , CVE-2024-25126 , CVE-2020-8186 , CVE-2020-5267 , CVE-2023-0309
