Description
Situation
npm audit reports a low severity vulnerability CVE-2025-7339 in the transient dependency [email protected]
Steps to reproduce
Ubuntu 24.04.2 LTS, Node.js 22.17.1 LTS
cd $(mktemp -d)
npm install serve
npm audit
Logs
# npm audit report
on-headers <1.1.0
on-headers is vulnerable to http response header manipulation - https://github.com/advisories/GHSA-76c9-3jph-rj3q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/on-headers
compression 1.0.3 - 1.8.0
Depends on vulnerable versions of on-headers
node_modules/compression
serve >=10.1.0
Depends on vulnerable versions of compression
node_modules/serve
3 low severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Assessment
Executing the following is unable to remediate the vulnerability:
[email protected] is pinned to
[email protected], release Mar 18, 2019, which is pinned to the vulnerable
on-headers@~1.0.2
A minimum version [email protected] (current latest) is required to pull in the non-vulnerable on-headers@~1.1.0
Recommendation
Bump [email protected] to [email protected] in dependencies of serve and release a new version.
Library version
14.2.4 (current latest)
Node version
v22.17.1
Description
Situation
npm auditreports a low severity vulnerability CVE-2025-7339 in the transient dependency [email protected]Steps to reproduce
Ubuntu 24.04.2 LTS, Node.js 22.17.1 LTS
Logs
Assessment
Executing the following is unable to remediate the vulnerability:
[email protected] is pinned to
[email protected], release Mar 18, 2019, which is pinned to the vulnerable
on-headers@~1.0.2
A minimum version [email protected] (current
latest) is required to pull in the non-vulnerable on-headers@~1.1.0Recommendation
Bump [email protected] to [email protected] in dependencies of serve and release a new version.
Library version
14.2.4 (current
latest)Node version
v22.17.1