CVE-2025-30221

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-30221

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30221.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-30221

Aliases

GHSA-pfqj-w6r6-g86v

Published

2025-03-27T14:46:32.430Z

Modified

2025-12-05T08:54:22.749351Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Pitchfork HTTP Request/Response Splitting vulnerability

Details

Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30221.json",
    "cwe_ids": [
        "CWE-113"
    ]
}

References

Affected packages

Git / github.com/shopify/pitchfork

Affected ranges

Type: GIT
Repo: https://github.com/shopify/pitchfork
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

abab81f2afdc3927fd240ccff366eedca20380f8

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.10.0

v0.2.0

v0.3.0

v0.4.0

v0.4.1

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.9.0