CVE-2025-30221 - Vulnerability Details - OpenCVE

Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2025-14808	Pitchfork HTTP Request/Response Splitting vulnerability
Github GHSA	GHSA-pfqj-w6r6-g86v	Pitchfork HTTP Request/Response Splitting vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55
https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v

History

Thu, 27 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 27 Mar 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.
Title		Pitchfork HTTP Request/Response Splitting vulnerability
Weaknesses		CWE-113
References		https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55 https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v
Metrics		cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-03-27T14:46:32.430Z

Updated: 2025-03-27T15:05:37.756Z

Reserved: 2025-03-18T18:15:13.851Z

Link: CVE-2025-30221

Vulnrichment

Updated: 2025-03-27T15:05:32.408Z

NVD

Status : Awaiting Analysis

Published: 2025-03-27T15:16:02.150

Modified: 2025-03-27T16:45:12.210

Link: CVE-2025-30221

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-30221", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-18T18:15:13.851Z", "datePublished": "2025-03-27T14:46:32.430Z", "dateUpdated": "2025-03-27T15:05:37.756Z"}, "containers": {"cna": {"title": "Pitchfork HTTP Request/Response Splitting vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-113", "lang": "en", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.0"}}], "references": [{"name": "https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v"}, {"name": "https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55", "tags": ["x_refsource_MISC"], "url": "https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55"}], "affected": [{"vendor": "Shopify", "product": "pitchfork", "versions": [{"version": "< 0.11.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-27T14:46:32.430Z"}, "descriptions": [{"lang": "en", "value": "Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available."}], "source": {"advisory": "GHSA-pfqj-w6r6-g86v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-27T15:05:25.265948Z", "id": "CVE-2025-30221", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T15:05:37.756Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-30221", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-27T15:05:25.265948Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T15:05:32.408Z"}}], "cna": {"title": "Pitchfork HTTP Request/Response Splitting vulnerability", "source": {"advisory": "GHSA-pfqj-w6r6-g86v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Shopify", "product": "pitchfork", "versions": [{"status": "affected", "version": "< 0.11.0"}]}], "references": [{"url": "https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v", "name": "https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55", "name": "https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-27T14:46:32.430Z"}}}, "cveMetadata": {"cveId": "CVE-2025-30221", "state": "PUBLISHED", "dateUpdated": "2025-03-27T15:05:37.756Z", "dateReserved": "2025-03-18T18:15:13.851Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-27T14:46:32.430Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}