CVE-2022-45442 HIGH

CVE-2022-45442: Sinatra vulnerable to Reflected File Download attack

Vendor Sinatra
Product sinatra
Weakness CWE-494 · Download without integrity check
Published November 28, 2022
Last update November 4, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.

Key dates

02Disclosure timeline

November 28, 2022 CVE published
November 4, 2025 Record updated