Updated advisory posts against rubysec/ruby-advisory-db@62b6ac2

jasnow · RubySec CI · commit 05a19209984e · 2025-03-28T15:28:09.000Z
diff --git a/advisories/_posts/2025-03-27-CVE-2025-30221.md b/advisories/_posts/2025-03-27-CVE-2025-30221.md
@@ -0,0 +1,33 @@
+---
+layout: advisory
+title: 'CVE-2025-30221 (pitchfork): Pitchfork HTTP Request/Response Splitting vulnerability'
+comments: false
+categories:
+- pitchfork
+advisory:
+  gem: pitchfork
+  cve: 2025-30221
+  ghsa: pfqj-w6r6-g86v
+  url: https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v
+  title: Pitchfork HTTP Request/Response Splitting vulnerability
+  date: 2025-03-27
+  description: |
+    ### Impact
+    HTTP Response Header Injection in Pitchfork Versions < 0.11.0
+    when used in conjunction with Rack 3
+
+    ### Patches
+    The issue was fixed in Pitchfork release 0.11.0
+
+    ### Workarounds
+    There are no known work arounds. Users must upgrade.
+  cvss_v3: 4.3
+  patched_versions:
+  - ">= 0.11.0"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-30221
+    - https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v
+    - https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55
+    - https://github.com/advisories/GHSA-pfqj-w6r6-g86v
+---
