CVE-2025-7339
BaseFortify
Publication date: 2025-07-17
Last updated on: 2025-07-17
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jshttp | on-headers | 1.1.0 |
| expressjs | morgan | 1.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-241 | The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the on-headers Node.js middleware versions before 1.1.0. It causes response headers to be inadvertently modified when an array is passed to the response.writeHead() function. This unintended modification can lead to unexpected behavior in how HTTP response headers are handled.
How can this vulnerability impact me? :
The vulnerability can cause response headers to be altered unintentionally, which may lead to incorrect or unexpected HTTP responses. This could affect the behavior of web applications relying on correct header information, potentially impacting security controls or application functionality.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the on-headers package to version 1.1.0 or later. Alternatively, as a workaround, ensure that calls to response.writeHead() pass an object instead of an array to avoid the vulnerability.