VulnerableCode Package Details - pkg:gem/sinatra@4.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-tax5-a72w-mbhy Aliases: CVE-2025-61921 GHSA-mr3q-g2mv-mr4q	Sinatra is vulnerable to ReDoS through ETag header value generation There is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the response and you are using Ruby < 3.2.	4.2.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-tax5-a72w-mbhy
Aliases:
CVE-2025-61921
GHSA-mr3q-g2mv-mr4q

Sinatra is vulnerable to ReDoS through ETag header value generation There is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the response and you are using Ruby < 3.2.

4.2.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-vy9q-nvxx-yfh5	Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.	CVE-2024-21510 GHSA-hxx2-7vcw-mqr3

Vulnerability

Summary

Aliases

VCID-vy9q-nvxx-yfh5

Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

CVE-2024-21510
GHSA-hxx2-7vcw-mqr3

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T17:41:34.509308+00:00	Ruby Importer	Affected by	VCID-tax5-a72w-mbhy	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2025-61921.yml	38.4.0
2026-04-12T01:09:00.198596+00:00	GitLab Importer	Affected by	VCID-tax5-a72w-mbhy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/sinatra/CVE-2025-61921.yml	38.3.0
2026-04-11T21:39:33.535337+00:00	Ruby Importer	Affected by	VCID-tax5-a72w-mbhy	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2025-61921.yml	38.3.0
2026-04-07T04:56:18.968004+00:00	GHSA Importer	Fixing	VCID-vy9q-nvxx-yfh5	https://github.com/advisories/GHSA-hxx2-7vcw-mqr3	38.1.0
2026-04-03T01:17:41.857345+00:00	GitLab Importer	Affected by	VCID-tax5-a72w-mbhy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/sinatra/CVE-2025-61921.yml	38.1.0
2026-04-02T19:37:00.306834+00:00	Ruby Importer	Affected by	VCID-tax5-a72w-mbhy	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2025-61921.yml	38.1.0
2026-04-02T12:40:19.202977+00:00	GitLab Importer	Fixing	VCID-vy9q-nvxx-yfh5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/sinatra/CVE-2024-21510.yml	38.0.0
2026-04-01T15:54:40.886714+00:00	Ruby Importer	Affected by	VCID-tax5-a72w-mbhy	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2025-61921.yml	38.0.0
2026-04-01T12:51:10.560410+00:00	GithubOSV Importer	Fixing	VCID-vy9q-nvxx-yfh5	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-hxx2-7vcw-mqr3/GHSA-hxx2-7vcw-mqr3.json	38.0.0