CVE-2025-7339

NameCVE-2025-7339
Descriptionon-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to `1.1.0`, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1109525

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-on-headers (PTS)bullseye1.0.2-1vulnerable
trixie, bookworm1.0.2-2vulnerable
sid1.0.2-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-on-headerssource(unstable)1.0.2-41109525

Notes

https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q
https://github.com/jshttp/on-headers/issues/15
Fixed by: https://github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867 (v1.1.0)
Search for package or bug name: Reporting problems