Description
Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v
Scores
CVSS v3
4.3
EPSS
0.0023
EPSS Percentile
13.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-113
Status
published
Products (2)
rubygems/pitchfork
0 - 0.11.0RubyGems
Shopify/pitchfork
< 0.11.0
Published
Mar 27, 2025
Tracked Since
Feb 18, 2026