Source: node-on-headers
Version: 1.0.2-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/jshttp/on-headers/issues/15
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for node-on-headers.

CVE-2025-7339[0]:
| on-headers is a node.js middleware for listening to when a response
| writes headers. A bug in on-headers versions `<1.1.0` may result in
| response headers being inadvertently modified when an array is
| passed to `response.writeHead()`. Users should upgrade to version
| 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to
| `1.1.0`, but this issue can be worked around by passing an object to
| `response.writeHead()` rather than an array.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-7339
    https://www.cve.org/CVERecord?id=CVE-2025-7339
[1] https://github.com/jshttp/on-headers/issues/15
[2] https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q
[3] 
https://github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867

Regards,
Salvatore

Reply via email to