Skip to content

Low severity vulnerability in on-headers@1.0.2 CVE-2025-7339 #825

New issue
New issue
Closed
#824
Closed
Low severity vulnerability in on-headers@1.0.2 CVE-2025-7339#825
#824
@MikeMcC399

Description

@MikeMcC399
MikeMcC399
opened on Jul 21, 2025

Description

Situation

npm audit reports a low severity vulnerability CVE-2025-7339 in the transient dependency on-headers@1.0.2

Steps to reproduce

Ubuntu 24.04.2 LTS, Node.js 22.17.1 LTS

cd $(mktemp -d)
npm install serve
npm audit

Logs

# npm audit report

on-headers  <1.1.0
on-headers is vulnerable to http response header manipulation - https://github.com/advisories/GHSA-76c9-3jph-rj3q
fix available via `npm audit fix --force`
Will install serve@10.0.2, which is a breaking change
node_modules/on-headers
  compression  1.0.3 - 1.8.0
  Depends on vulnerable versions of on-headers
  node_modules/compression
    serve  >=10.1.0
    Depends on vulnerable versions of compression
    node_modules/serve

3 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Assessment

Executing the following is unable to remediate the vulnerability:

npm audit fix

serve@14.2.4 is pinned to
compression@1.7.4, release Mar 18, 2019, which is pinned to the vulnerable
on-headers@~1.0.2

A minimum version compression@1.8.1 (current latest) is required to pull in the non-vulnerable on-headers@~1.1.0

Recommendation

Bump compression@1.7.4 to compression@1.8.1 in dependencies of serve and release a new version.

Library version

14.2.4 (current latest)

Node version

v22.17.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions