Source: node-on-headers Version: 1.0.2-2 Severity: important Tags: security upstream Forwarded: https://github.com/jshttp/on-headers/issues/15 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for node-on-headers. CVE-2025-7339[0]: | on-headers is a node.js middleware for listening to when a response | writes headers. A bug in on-headers versions `<1.1.0` may result in | response headers being inadvertently modified when an array is | passed to `response.writeHead()`. Users should upgrade to version | 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to | `1.1.0`, but this issue can be worked around by passing an object to | `response.writeHead()` rather than an array. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-7339 https://www.cve.org/CVERecord?id=CVE-2025-7339 [1] https://github.com/jshttp/on-headers/issues/15 [2] https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q [3] https://github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867 Regards, Salvatore