Low severity3.4OSV Advisory· Published Jul 17, 2025· Updated Apr 15, 2026

CVE-2025-7339

Description

on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions <1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead(). Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object to response.writeHead() rather than an array.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
on-headersnpm	< 1.1.0	1.1.0

Affected products

Jshttp/On HeadersOSV
Range: v0.0.0, v1.0.0, v1.0.1, …

Patches

c6e384908c9c

🔒️ fix array handling

https://github.com/jshttp/on-headersctcpipJun 20, 2025via ghsa

commit

2 files changed · +72 −2

index.js+14 −2 modified

@@ -74,8 +74,20 @@ function onHeaders (res, listener) {
  */
 
 function setHeadersFromArray (res, headers) {
-  for (var i = 0; i < headers.length; i++) {
-    res.setHeader(headers[i][0], headers[i][1])
+  if (headers.length && Array.isArray(headers[0])) {
+    // 2D
+    for (var i = 0; i < headers.length; i++) {
+      res.setHeader(headers[i][0], headers[i][1])
+    }
+  } else {
+    if (headers.length % 2 !== 0) {
+      throw new TypeError('headers array is malformed')
+    }
+
+    // 1D
+    for (var j = 0; j < headers.length; j += 2) {
+      res.setHeader(headers[j], headers[j + 1])
+    }
   }
 }

test/test.js+58 −0 modified

@@ -278,6 +278,64 @@ describe('onHeaders(res, listener)', function () {
         .expect(201, done)
     })
   })
+
+  describe('writeHead(status, flat arr)', function () {
+    it('should be available in listener', function (done) {
+      var server = createServer(listener, handler)
+
+      function handler (req, res) {
+        res.writeHead(201, ['X-Outgoing', 'test'])
+      }
+
+      function listener (req, res) {
+        this.setHeader('X-Status', this.statusCode)
+        this.setHeader('X-Outgoing-Echo', this.getHeader('X-Outgoing'))
+      }
+
+      request(server)
+        .get('/')
+        .expect('X-Status', '201')
+        .expect('X-Outgoing-Echo', 'test')
+        .expect(201, done)
+    })
+  })
+
+  describe('writeHead(status, invalid flat arr)', function () {
+    it('should throw on malformed array', function (done) {
+      var server = createServer(listener, handler)
+
+      function handler (req, res) {
+        assert.throws(function () {
+          res.writeHead(201, ['foo', 'bar', 'baz'])
+        },
+        TypeError)
+      }
+
+      function listener (req, res) {
+      }
+
+      // gets a 200 here because we caught the error via assert.throws
+      request(server)
+        .get('/')
+        .expect(200, done)
+    })
+
+    it('should return 500 on malformed array', function (done) {
+      var server = createServer(listener, handler)
+
+      function handler (req, res) {
+        res.writeHead(201, ['foo', 'bar', 'baz'])
+        res.end('no soup for you!')
+      }
+
+      function listener (req, res) {
+      }
+
+      request(server)
+        .get('/')
+        .expect(500, done)
+    })
+  })
 })
 
 function createServer (listener, handler) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-76c9-3jph-rj3qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-7339ghsaADVISORY
cna.openjsf.org/security-advisories.htmlnvdWEB
github.com/expressjs/morgan/issues/315nvdWEB
github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867nvdWEB
github.com/jshttp/on-headers/issues/15nvdWEB
github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3qnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.221
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000