CVE-2025-30221— Pitchfork HTTP Request/Response Splitting vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-30221
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pitchfork HTTP Request/Response Splitting vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTP头部中CRLF序列转义处理不恰当(HTTP响应分割)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Shopify Pitchfork 注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Shopify Pitchfork是加拿大Shopify公司的一个Rack应用程序的预分叉HTTP服务器。 Shopify Pitchfork 0.11.0之前版本存在注入漏洞,该漏洞源于与Rack 3结合使用时存在HTTP响应标头注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-30221
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-30221
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Shopify
- CVE-2026-39862
Tophat has a Command Injection Vulnerability When Accessing - CVE-2026-34060
Ruby LSP has arbitrary code execution through branch setting - CVE-2025-53623
Job Iteration API is vulnerable to OS Command Injection atta - CVE-2025-48069
ejson2env has insufficient input sanitization - CVE-2024-45036
Improper Access Control Vulnerability When Accessing a Malic
Same weakness: CWE-113
- CVE-2026-42035
Axios: Header Injection via Prototype Pollution - CVE-2026-39971
Serendipity: Host Header Injection leads to SMTP header inje - CVE-2026-40175
Axios has Unrestricted Cloud Metadata Exfiltration via Heade - CVE-2026-34715
ewe Has Improper Neutralization of CRLF Sequences in HTTP He - CVE-2026-34520
AIOHTTP: C parser (llhttp) accepts null bytes and control ch
V. Comments for CVE-2025-30221
No comments yet