diff --git a/Gemfile.lock b/Gemfile.lock
index 54f1eca6fa..80059514b4 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -71,7 +71,7 @@ PATH
       pdf-reader
       pg
       puma
-      rack
+      rack (~> 2.2)
       railties
       rasn1 (= 0.14.0)
       rb-readline
@@ -102,13 +102,13 @@ PATH
       ruby_smb (~> 3.3.15)
       rubyntlm
       rubyzip
-      sinatra
+      sinatra (~> 3.2)
       sqlite3 (= 1.7.3)
       sshkey
       stringio (= 3.1.1)
       swagger-blocks
       syslog
-      thin
+      thin (~> 1.x)
       tzinfo
       tzinfo-data
       unix-crypt
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 2b8e9e2620..dc2c567e61 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -107,9 +107,12 @@ Gem::Specification.new do |spec|
   # Required for Metasploit Web Services
   spec.add_runtime_dependency 'puma'
   spec.add_runtime_dependency 'ruby-mysql'
-  spec.add_runtime_dependency 'thin'
-  spec.add_runtime_dependency 'sinatra'
-  spec.add_runtime_dependency 'rack'
+  # webserver - pinned due to: https://github.com/github/secure_headers/issues/514
+  spec.add_runtime_dependency 'thin', '~> 1.x'
+  # rack pinned due to authlogic warnings when setting cookie keys with a / char present: https://github.com/binarylogic/authlogic/issues/779
+  spec.add_runtime_dependency 'rack', '~> 2.2'
+  # 4.x needs tested and verified for JSON RPC service
+  spec.add_runtime_dependency 'sinatra', '~> 3.2'
   spec.add_runtime_dependency 'warden'
   spec.add_runtime_dependency 'swagger-blocks'
   # Required for JSON-RPC client