GHSA-pfqj-w6r6-g86v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pfqj-w6r6-g86v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-pfqj-w6r6-g86v/GHSA-pfqj-w6r6-g86v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pfqj-w6r6-g86v
- Aliases
- Published
- 2025-03-27T18:01:18Z
- Modified
- 2025-03-28T16:31:51.247759Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Pitchfork HTTP Request/Response Splitting vulnerability
- Details
-
Impact
HTTP Response Header Injection in Pitchfork Versions < 0.11.0 when used in conjunction with Rack 3
Patches
The issue was fixed in Pitchfork release 0.11.0
Workarounds
There are no known work arounds. Users must upgrade.
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-03-27T15:16:02Z", "github_reviewed_at": "2025-03-27T18:01:18Z", "severity": "MODERATE", "cwe_ids": [ "CWE-113" ] }- References
-
- https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v
- https://nvd.nist.gov/vuln/detail/CVE-2025-30221
- https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55
- https://github.com/Shopify/pitchfork
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pitchfork/CVE-2025-30221.yml
Affected packages
RubyGems / pitchfork
Package
- Name
- pitchfork
- Purl
- pkg:gem/pitchfork