Medium severity4.3NVD Advisory· Published Mar 27, 2025· Updated Apr 15, 2026
CVE-2025-30221
CVE-2025-30221
Description
Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pitchforkRubyGems | < 0.11.0 | 0.11.0 |
Patches
2abab81f2afdc17ed9b61bf9fVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-pfqj-w6r6-g86vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-30221ghsaADVISORY
- github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55nvdWEB
- github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86vnvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/pitchfork/CVE-2025-30221.ymlghsaWEB
News mentions
0No linked articles in our index yet.