ADVISORIES

• CVE-2025-30221 (NVD)
• GHSA-pfqj-w6r6-g86v
• Vendor Advisory

GEM

pitchfork

SEVERITY

CVSS v3.x: 4.3 (Medium)

PATCHED VERSIONS

• >= 0.11.0

DESCRIPTION

Impact

HTTP Response Header Injection in Pitchfork Versions < 0.11.0 when used in conjunction with Rack 3

Patches

The issue was fixed in Pitchfork release 0.11.0

Workarounds

There are no known work arounds. Users must upgrade.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2025-30221
• https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v
• https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55
• https://github.com/advisories/GHSA-pfqj-w6r6-g86v