CVE-2025-7339 — on-headers is vulnerable to http response header manipulation

Description

### Impact A bug in on-headers versions `< 1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()` ### Patches Users should upgrade to `1.1.0` ### Workarounds Uses are encouraged to upgrade to `1.1.0`, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array.

How to fix CVE-2025-7339

To remediate CVE-2025-7339, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.1.0 or later

Is CVE-2025-7339 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 1.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.4	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-7339
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-7339
PATCHgithub.com/jshttp/on-headers
WEBcna.openjsf.org/security-advisories.html
WEBgithub.com