Skip to content

on-headers vulnerable to http response header manipulation

Low
ctcpip published GHSA-76c9-3jph-rj3q Jul 17, 2025

Package

npm on-headers (npm)

Affected versions

<1.1.0

Patched versions

1.1.0

Description

Impact

A bug in on-headers versions <1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead()

Patches

Users should upgrade to 1.1.0

Workarounds

Uses are encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object to response.writeHead() rather than an array.

References

Severity

Low

CVE ID

CVE-2025-7339

Weaknesses

Improper Handling of Unexpected Data Type

The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). Learn more on MITRE.

Credits