AIKIDO-2025-10702
sinatra is vulnerable to Inefficient Regular Expression Complexity
30
Low Risk
This Affects:
sinatraTL;DR
Affected versions of this package are vulnerable to a Regular Expression Denial of Service (ReDoS) via the split(/s*,s*/) operation on untrusted ETag headers. The vulnerable regular expression, which matches any number of whitespace characters around commas, can be exploited by an attacker sending a specially crafted, excessively long string of whitespace and commas in the ETag header. This can cause catastrophic backtracking in the regex engine, consuming massive amounts of CPU and resulting in a complete denial of service.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
sinatra is vulnerable to Inefficient Regular Expression Complexity in versions 1.2.7 - 4.1.1.
How to fix this
Upgrade the sinatra library to the patch version.
Links
Fix PRs
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant