Primary

Context

Shopify Pitchfork HTTP Response Header Injection Vulnerability

Vulnerability

A vulnerability allowing HTTP response header injection has been identified in Shopify Pitchfork versions prior to 0.11.0, when used with Rack 3. This issue can lead to HTTP request/response splitting.

Impact

Exploitation of this vulnerability allows for HTTP response header injection, which can be used to manipulate response headers in a way that may disrupt normal application behavior or facilitate further attacks, such as cross-site scripting or cache poisoning.

Remediation

Users are advised to upgrade to Pitchfork version 0.11.0 or later. Instructions for upgrading can be found in the Pitchfork repository on GitHub.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Shopify Pitchfork HTTP Response Header Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Rack

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating