Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS03NmM5LTNqcGgtcmozcc4ABKP-

Low EPSS: 0.00015% (0.01775 Percentile) EPSS:
Permalink JSON

on-headers is vulnerable to http response header manipulation

Affected Packages Affected Versions Fixed Versions
npm:on-headers < 1.1.0 1.1.0
1,380 Dependent packages
3,651,378 Dependent repositories
105,388,677 Downloads last month

Affected Version Ranges

All affected versions

0.0.0, 1.0.0, 1.0.1, 1.0.2

All unaffected versions

1.1.0

Impact

A bug in on-headers versions < 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead()

Patches

Users should upgrade to 1.1.0

Workarounds

Uses are encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object to response.writeHead() rather than an array.

References:

Identifiers

GHSA-76c9-3jph-rj3q

CVE-2025-7339

Risk

Severity

Low

EPSS

EPSS Percentage: 0.00015

EPSS Percentile: 0.01775

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jshttp/on-headers

Date and time

Published

12 days ago

Updated

11 days ago

API

JSON