Low severity3.4OSV Advisory· Published Jul 17, 2025· Updated Apr 15, 2026
CVE-2025-7339
CVE-2025-7339
Description
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions <1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead(). Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object to response.writeHead() rather than an array.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
on-headersnpm | < 1.1.0 | 1.1.0 |
Affected products
51- Range: v0.0.0, v1.0.0, v1.0.1, …
- osv-coords50 versionspkg:apk/chainguard/argo-workflow-clipkg:apk/chainguard/argo-workflow-controllerpkg:apk/chainguard/argo-workflow-controller-compatpkg:apk/chainguard/argo-workflow-executorpkg:apk/chainguard/argo-workflow-executor-compatpkg:apk/chainguard/argo-workflowspkg:apk/chainguard/argo-workflows-known-hostspkg:apk/chainguard/argo-workflows-uipkg:apk/chainguard/code-serverpkg:apk/chainguard/code-server-compatpkg:apk/chainguard/json-serverpkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/servepkg:apk/chainguard/sqlpadpkg:apk/chainguard/sqlpad-compatpkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-compatpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/tileserver-gl-fips-compatpkg:apk/chainguard/vitess-22pkg:apk/wolfi/argo-workflow-clipkg:apk/wolfi/argo-workflow-controllerpkg:apk/wolfi/argo-workflow-controller-compatpkg:apk/wolfi/argo-workflow-executorpkg:apk/wolfi/argo-workflow-executor-compatpkg:apk/wolfi/argo-workflowspkg:apk/wolfi/argo-workflows-known-hostspkg:apk/wolfi/argo-workflows-uipkg:apk/wolfi/code-serverpkg:apk/wolfi/code-server-compatpkg:apk/wolfi/json-serverpkg:apk/wolfi/kubeflow-centraldashboardpkg:apk/wolfi/servepkg:apk/wolfi/sqlpadpkg:apk/wolfi/sqlpad-compatpkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:apk/wolfi/tileserver-glpkg:apk/wolfi/tileserver-gl-compatpkg:apk/wolfi/vitess-22pkg:npm/on-headerspkg:rpm/opensuse/agama-web-ui&distro=openSUSE%20Leap%2016.0
< 3.6.10-r3+ 49 more
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 4.102.1-r0
- (no CPE)range: < 4.102.1-r0
- (no CPE)range: < 0.17.4-r2
- (no CPE)range: < 1.10.0-r3
- (no CPE)range: < 14.2.5-r0
- (no CPE)range: < 7.5.4-r3
- (no CPE)range: < 7.5.4-r3
- (no CPE)range: < 4.1-r5
- (no CPE)range: < 4.1-r5
- (no CPE)range: < 4.1-r5
- (no CPE)range: < 4.1-r5
- (no CPE)range: < 4.1-r5
- (no CPE)range: < 5.3.1-r7
- (no CPE)range: < 5.3.1-r7
- (no CPE)range: < 5.3.1-r6
- (no CPE)range: < 5.3.1-r6
- (no CPE)range: < 22.0.2-r0
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 3.6.10-r3
- (no CPE)range: < 4.102.1-r0
- (no CPE)range: < 4.102.1-r0
- (no CPE)range: < 0.17.4-r2
- (no CPE)range: < 1.10.0-r3
- (no CPE)range: < 14.2.5-r0
- (no CPE)range: < 7.5.4-r3
- (no CPE)range: < 7.5.4-r3
- (no CPE)range: < 4.1-r5
- (no CPE)range: < 4.1-r5
- (no CPE)range: < 4.1-r5
- (no CPE)range: < 4.1-r5
- (no CPE)range: < 4.1-r5
- (no CPE)range: < 5.3.1-r7
- (no CPE)range: < 5.3.1-r7
- (no CPE)range: < 22.0.2-r0
- (no CPE)range: < 1.1.0
- (no CPE)range: < 17+612.d8bf69336-160000.11.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-76c9-3jph-rj3qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-7339ghsaADVISORY
- cna.openjsf.org/security-advisories.htmlnvdWEB
- github.com/expressjs/morgan/issues/315nvdWEB
- github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867nvdWEB
- github.com/jshttp/on-headers/issues/15nvdWEB
- github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3qnvdWEB
News mentions
0No linked articles in our index yet.