1.1.0
1.1.0
CVE-2025-7339 is a vulnerability affecting versions of on-headers prior to 1.1.0. This issue allows for potential modification of response headers when an array is passed to the response.writeHead() function. The impact could be subtle but potentially lead to unexpected behavior or security implications. Upgrade to version 1.1.0 to remediate this vulnerability.
The core of this vulnerability lies in the improper handling of data types within the response.writeHead() function. When an array is provided as input, on-headers may incorrectly interpret and modify the response headers being sent to the client. While the immediate impact might not be catastrophic, it could enable attackers to subtly alter the behavior of a web application. For example, an attacker could manipulate headers related to caching, security policies (like Content-Security-Policy), or redirects. This could lead to information disclosure, cross-site scripting (XSS) vulnerabilities, or other unexpected consequences depending on the application's logic. The potential for abuse depends heavily on the application's reliance on these headers.
CVE-2025-7339 was published on 2025-07-17. The CVSS score is LOW (3.4), indicating a relatively low probability of exploitation. There are no known public Proof-of-Concept (POC) exploits available at this time. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog, and EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.
漏洞利用状态
EPSS
0.01% (1% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-7339 is to upgrade to version 1.1.0 of on-headers. This version includes a fix that correctly handles the input to response.writeHead(). If upgrading is not immediately feasible, a workaround exists: always pass an object instead of an array to the response.writeHead() function. This bypasses the vulnerable code path. Thorough testing is crucial after applying either the upgrade or the workaround to ensure application stability and functionality. After upgrading, confirm the fix by sending requests with array inputs to response.writeHead() and verifying that headers are not modified unexpectedly.
Actualice la versión del paquete `on-headers` a la versión 1.1.0 o superior. Esto solucionará la vulnerabilidad de manipulación de encabezados HTTP. Alternativamente, puede modificar su código para pasar un objeto en lugar de un array a la función `response.writeHead()`.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-7339 is a vulnerability in on-headers versions before 1.1.0 where passing an array to response.writeHead() can inadvertently modify response headers, potentially leading to unexpected application behavior.
You are affected if your project uses on-headers versions earlier than 1.1.0. Check your dependencies to determine if you need to upgrade.
The recommended fix is to upgrade to version 1.1.0 of on-headers. As a temporary workaround, pass an object instead of an array to response.writeHead().
Currently, there are no known public exploits or active campaigns targeting CVE-2025-7339, but continuous monitoring is advised.
Refer to the on-headers project's repository or website for the official advisory and release notes regarding CVE-2025-7339.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。