CVE-2025-61921: Sinatra is vulnerable to ReDoS through ETag header value generation

October 10, 2025 (updated October 13, 2025)

There is a denial of service vulnerability in the If-Match and If-None-Match header parsing component of Sinatra, if the etag method is used when constructing the response and you are using Ruby < 3.2.

References

bugs.ruby-lang.org/issues/19104
github.com/advisories/GHSA-mr3q-g2mv-mr4q
github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2025-61921.yml
github.com/sinatra/sinatra
github.com/sinatra/sinatra/commit/3fe8c38dc405586f7ad8f2ac748aa53e9c3615bd
github.com/sinatra/sinatra/commit/8ff496bd4877520599e1479d6efead39304edceb
github.com/sinatra/sinatra/issues/2120
github.com/sinatra/sinatra/pull/1823
github.com/sinatra/sinatra/pull/2121
github.com/sinatra/sinatra/security/advisories/GHSA-mr3q-g2mv-mr4q
nvd.nist.gov/vuln/detail/CVE-2025-61921

Code Behaviors & Features

Detect and mitigate CVE-2025-61921 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →