Vulnerable Library - sinatra-3.2.0.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-3.2.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (sinatra version) |
Remediation Possible** |
| CVE-2024-21510 |
 Medium |
5.4 |
sinatra-3.2.0.gem |
Direct |
sinatra - 4.1.0 |
❌ |
| CVE-2025-61921 |
Medium |
5.3 |
sinatra-3.2.0.gem |
Direct |
sinatra - 4.2.0 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-21510
Vulnerable Library - sinatra-3.2.0.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-3.2.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
- ❌ sinatra-3.2.0.gem (Vulnerable Library)
Found in base branch: source
Vulnerability Details
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
Publish Date: 2024-11-01
URL: CVE-2024-21510
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hxx2-7vcw-mqr3
Release Date: 2024-11-01
Fix Resolution: sinatra - 4.1.0
Step up your Open Source Security Game with Mend here
CVE-2025-61921
Vulnerable Library - sinatra-3.2.0.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-3.2.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
- ❌ sinatra-3.2.0.gem (Vulnerable Library)
Found in base branch: source
Vulnerability Details
Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the "If-Match" and "If-None-Match" header parsing component of Sinatra, if the "etag" method is used when constructing the response. Carefully crafted input can cause "If-Match" and "If-None-Match" header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the "ETag" header value. Any applications that use the "etag" method when generating a response are impacted. Version 4.2.0 fixes the issue.
Publish Date: 2025-10-10
URL: CVE-2025-61921
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mr3q-g2mv-mr4q
Release Date: 2025-10-10
Fix Resolution: sinatra - 4.2.0
Step up your Open Source Security Game with Mend here
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-3.2.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - sinatra-3.2.0.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-3.2.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
Found in base branch: source
Vulnerability Details
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
Publish Date: 2024-11-01
URL: CVE-2024-21510
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hxx2-7vcw-mqr3
Release Date: 2024-11-01
Fix Resolution: sinatra - 4.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - sinatra-3.2.0.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-3.2.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
Found in base branch: source
Vulnerability Details
Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the "If-Match" and "If-None-Match" header parsing component of Sinatra, if the "etag" method is used when constructing the response. Carefully crafted input can cause "If-Match" and "If-None-Match" header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the "ETag" header value. Any applications that use the "etag" method when generating a response are impacted. Version 4.2.0 fixes the issue.
Publish Date: 2025-10-10
URL: CVE-2025-61921
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mr3q-g2mv-mr4q
Release Date: 2025-10-10
Fix Resolution: sinatra - 4.2.0
Step up your Open Source Security Game with Mend here