diff --git a/gems/pitchfork/CVE-2025-30221.yml b/gems/pitchfork/CVE-2025-30221.yml
new file mode 100644
index 0000000000..e891d1ed8e
--- /dev/null
+++ b/gems/pitchfork/CVE-2025-30221.yml
@@ -0,0 +1,26 @@
+---
+gem: pitchfork
+cve: 2025-30221
+ghsa: pfqj-w6r6-g86v
+url: https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v
+title: Pitchfork HTTP Request/Response Splitting vulnerability
+date: 2025-03-27
+description: |
+  ### Impact
+  HTTP Response Header Injection in Pitchfork Versions < 0.11.0
+  when used in conjunction with Rack 3
+
+  ### Patches
+  The issue was fixed in Pitchfork release 0.11.0
+
+  ### Workarounds
+  There are no known work arounds. Users must upgrade.
+cvss_v3: 4.3
+patched_versions:
+  - ">= 0.11.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-30221
+    - https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v
+    - https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55
+    - https://github.com/advisories/GHSA-pfqj-w6r6-g86v