CVE-2025-30221
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Shopify | pitchfork | < 0.11.0 | affected |
Weaknesses
- CWE-113: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v
- https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.