Bug 2381728 (CVE-2025-7339) - CVE-2025-7339 on-headers: on-headers vulnerable to http response header manipulation
Summary: CVE-2025-7339 on-headers: on-headers vulnerable to http response header manip...
Keywords:
Status: NEW
Alias: CVE-2025-7339
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2381749 2381750 2381751 2381752 2381753 2381754 2381755 2381756 2381757 2381758 2381759 2381760 2381761 2381762
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-17 16:01 UTC by OSIDB Bzimport
Modified: 2025-07-17 20:12 UTC (History)
102 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-07-17 16:01:30 UTC 
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to `1.1.0`, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array.
Note You need to log in before you can comment on or make changes to this bug.