Improper Handling of Unexpected Data Type in on-headers

CVE-2025-7339

on-headers
org.webjars.npm:on-headers

Low

3.4/10

Summary

The on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions prior to 1.1.0 may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users are strongly encouraged to upgrade to a fixed version, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-241 - Improper Handling of Unexpected Data Type

The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

References

Advisory
Release Note
Issue

Advisory Timeline

Published Jul 17, 2025

Improper Handling of Unexpected Data Type in on-headers

CVE-2025-7339

Summary

CWE-241 - Improper Handling of Unexpected Data Type

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS