Home > Vulnerability Database > CVE-2025-30221

Mend.io Vulnerability Database

CVE-2025-30221

Good to know:

Date: March 27, 2025

Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.

Severity Score

4.3

Related Resources (6)

Url: https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v

Url: https://github.com/Shopify/pitchfork

Url: https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pitchfork/CVE-2025-30221.yml

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-30221

Url: https://www.mend.io/vulnerability-database/CVE-2025-30221

Severity Score

4.3

Weakness Type (CWE)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-113

Top Fix

Upgrade Version

Upgrade to version pitchfork - 0.11.0;https://github.com/Shopify/pitchfork.git - v0.11.0

Learn More

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-30221

Good to know:

Date: March 27, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?