resolved
Cloudflare WAF Bypass - Origin IP Exposure
Bug reported by aarav was disclosed at March 27, 2025, 5:08 pm |
The Cloudflare WAF was bypassed, exposing an IP address belonging to a server operated by Hemi.
resolved
HTTP Response Header Injection in shopify/pitchfork + Rack 3
Bug reported by ooooooo_q was disclosed at March 27, 2025, 2:37 pm | HTTP Response Splitting
The HTTP response header injection vulnerability was discovered in the Pitchfork library version 0.10.0 when used with Rack 3. The issue stemmed from improper handling of header values containing newline characters in the `append_header` method of the HTTP response module. When Rack 3 was used, the newline characters were not properly sanitized and were displayed as-is in the output, enabling header injection. This vulnerability could have potentially led to further attacks, such as cross-site scripting (XSS).
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
