CVE-2025-7339 LOW

CVE-2025-7339: on-headers vulnerable to http response header manipulation

Vendor Jshttp
Product on-headers
Weakness CWE-241
Published July 17, 2025
Last update July 17, 2025

CVSS base score

3.4/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to `1.1.0`, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array.

Key dates

02Disclosure timeline

July 17, 2025 CVE published
July 17, 2025 Record updated