Описание
on-headers is vulnerable to http response header manipulation
Impact
A bug in on-headers versions < 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead()
Patches
Users should upgrade to 1.1.0
Workarounds
Uses are encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object to response.writeHead() rather than an array.
Ссылки
- https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q
- https://nvd.nist.gov/vuln/detail/CVE-2025-7339
- https://github.com/expressjs/morgan/issues/315
- https://github.com/jshttp/on-headers/issues/15
- https://github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867
- https://cna.openjsf.org/security-advisories.html
Пакеты
on-headers
< 1.1.0
1.1.0
Связанные уязвимости
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to `1.1.0`, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array.
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to `1.1.0`, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array.
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to `1.1.0`, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array.
on-headers is a node.js middleware for listening to when a response wr ...