RubySec

Providing security resources for the Ruby community

CVE-2025-30221 (pitchfork): Pitchfork HTTP Request/Response Splitting vulnerability

ADVISORIES

GEM

pitchfork

SEVERITY

CVSS v3.x: 4.3 (Medium)

PATCHED VERSIONS

  • >= 0.11.0

DESCRIPTION

Impact

HTTP Response Header Injection in Pitchfork Versions < 0.11.0 when used in conjunction with Rack 3

Patches

The issue was fixed in Pitchfork release 0.11.0

Workarounds

There are no known work arounds. Users must upgrade.

RELATED