Response Header Manipulation Vulnerability in Node.js Middleware from jshttp
CVE-2025-7339

3.4LOW

Key Information:

Vendor: Jshttp
Status: On-headers
Vendor: CVE Published:; 17 July 2025

What is CVE-2025-7339?

The on-headers middleware for Node.js has a vulnerability that may allow response headers to be inadvertently modified when an array is passed to the response.writeHead() method. This issue is present in on-headers versions prior to 1.1.0. Users are strongly advised to upgrade to version 1.1.0, where this issue is addressed. A temporary workaround involves using an object instead of an array when calling response.writeHead(), which can help mitigate the risk.

Affected Version(s)

on-headers 0 < 1.1.0

References

https://github.com/jshttp/on-headers/security/advisories/...

https://github.com/jshttp/on-headers/commit/c6e384908c9c6...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

3.4

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 17, 2025
Vulnerability Reserved
Jul 7, 2025

Jshttp

What is CVE-2025-7339?

Affected Version(s)

References

CVSS V3.1

Timeline