CVE-2025-30221

Pitchfork HTTP Request/Response Splitting vulnerability

CVSS 4.3 MEDIUMEPSS 0.3%CWE-113

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

27 mar 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Productos afectados

Shopify · pitchfork

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55 https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v