CVE-2025-7339: 
JavaScript vulnerability analysis and mitigation

A vulnerability has been identified in the on-headers node.js middleware package (CVE-2025-7339), which is used for listening to when a response writes headers. The bug affects versions prior to 1.1.0 and may result in response headers being inadvertently modified when an array is passed to response.writeHead(). The vulnerability was discovered and disclosed on July 17, 2025 (OpenJS Advisory).

The vulnerability stems from inconsistent handling of array-formatted headers in the setHeadersFromArray function. The function incorrectly processes headers in a 2D array format, which conflicts with NodeJS Http documentation specifications. When res.writeHead is used with onHeaders and the headers argument is in 2D array format, it can lead to header manipulation issues. The vulnerability has been assigned a CVSS v3.1 base score of 3.4 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N (NVD).

When exploited, this vulnerability can result in HTTP response header manipulation, potentially leading to security implications where headers are incorrectly processed or modified. The impact is considered low due to the limited scope of the vulnerability and the requirement for local access (GHSA Advisory).

Users are strongly encouraged to upgrade to version 1.1.0 which contains the fix for this vulnerability. As a temporary workaround, users can pass an object to response.writeHead() rather than an array. The fix has been implemented in version 1.1.0 through proper handling of array-formatted headers (Security Advisory).