CVE-2025-30221

MEDIUM

Pitchfork <0.11.0 - HTTP Response Header Injection

Title source: llm

Description

Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.

References (2)

[Vendor Advisory] https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v

[Patch] https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55

View Patch ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0028

EPSS Percentile 51.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-113

Status published

Products (2)

rubygems/pitchfork 0 - 0.11.0RubyGems

Shopify/pitchfork < 0.11.0

Published Mar 27, 2025

Tracked Since Feb 18, 2026