Pitchfork HTTP Request/Response Splitting vulnerability
Published: March 27, 2025
SECURITY IDENTIFIERS
- CVE: CVE-2025-30221 (NVD)
- GHSA: GHSA-pfqj-w6r6-g86v
- Vendor Advisory: https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v
GEM
SEVERITY
CVSS v3.x: 4.3 (Medium)
PATCHED VERSIONS
>= 0.11.0
DESCRIPTION
Impact
HTTP Response Header Injection in Pitchfork Versions < 0.11.0 when used in conjunction with Rack 3
Patches
The issue was fixed in Pitchfork release 0.11.0
Workarounds
There are no known work arounds. Users must upgrade.