CVE-2025-7339: on-headers vulnerable to http response header manipulation

Published Jul 17, 2025
·
Updated

Impact

A bug in on-headers versions < 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead()

Patches

Users should upgrade to 1.1.0

Workarounds

Uses are encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object to response.writeHead() rather than an array.

Other sources

on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions <1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead(). Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object to response.writeHead() rather than an array.

NVD

on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead(). Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object to response.writeHead() rather than an array.

IBM

on-headers vulnerable to http response header manipulation

Microsoft

Affected Software

4 affected componentsFixes available
on-headers on-headers<1.1.0
npm/on-headers<1.1.0
1.1.0
Microsoft cbl2 reaper 3.1.1-19
IBM watsonx.data intelligence<=5.2.0, 5.2.1, 5.3.0, 5.3.1

Event History

Jul 17, 2025
CVE Published
via MITRE·03:47 PM
Data Sourced
via MITRE·03:47 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:15 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·09:17 PM
Data Sourced
via GitHub·09:17 PM
DescriptionSeverityWeaknessAffected Software
Sep 17, 2025
Data Sourced
via Microsoft·01:01 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·01:01 AM
Affected Software
Updated
via Microsoft·01:01 AM
DescriptionSeverity
Apr 27, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-7339?

The severity of CVE-2025-7339 is classified as moderate due to the potential for unintended modification of response headers.

2

How do I fix CVE-2025-7339?

To fix CVE-2025-7339, users should upgrade to on-headers version 1.1.0 or later.

3

What versions are affected by CVE-2025-7339?

CVE-2025-7339 affects on-headers versions prior to 1.1.0.

4

What type of bug is associated with CVE-2025-7339?

CVE-2025-7339 involves a bug that may lead to inadvertent modifications of response headers when an array is passed to response.writeHead().

5

Who is affected by CVE-2025-7339?

Users of on-headers versions prior to 1.1.0 are affected by CVE-2025-7339.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203