morgan-1.10.0.tgz: 3 vulnerabilities (highest severity is: 9.8) [master] (reachable)

[mend-developer-platform-dev]

📂 Vulnerable Library - morgan-1.10.0.tgz

HTTP request logger middleware for node.js

Findings

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-587792-470342	🟣 Critical	9.8	N/A	N/A	on-finished-2.3.0.tgz	Transitive	N/A	❌
CVE-636288-474053	🟣 Critical	9.8	N/A	N/A	on-headers-1.0.2.tgz	Transitive	N/A	❌
CVE-2025-7339	🟠 Medium	4.6	Not Defined	< 1%	on-headers-1.0.2.tgz	Transitive	N/A	❌	Reachable

Details

🟣CVE-587792-470342

Vulnerable Library - on-finished-2.3.0.tgz

Execute a callback when a request closes, finishes, or errors

Library home page: https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz

Dependency Hierarchy:

• express-4.17.1.tgz (Root Library)

  • ❌ on-finished-2.3.0.tgz (Vulnerable Library)

• morgan-1.10.0.tgz (Root Library)

  • ❌ on-finished-2.3.0.tgz (Vulnerable Library)

---

Vulnerability Details

Created automatically by the test suite

Publish Date: Jun 07, 2010 05:12 PM

URL: CVE-587792-470342

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 9.8

---

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟣CVE-636288-474053

Vulnerable Library - on-headers-1.0.2.tgz

Execute a listener when a response is about to write headers

Library home page: https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz

Dependency Hierarchy:

• webpack-dev-server-4.9.0.tgz (Root Library)

  • compression-1.7.4.tgz
    • ❌ on-headers-1.0.2.tgz (Vulnerable Library)

• morgan-1.10.0.tgz (Root Library)

  • ❌ on-headers-1.0.2.tgz (Vulnerable Library)

---

Vulnerability Details

Created automatically by the test suite

Publish Date: Jun 07, 2010 05:12 PM

URL: CVE-636288-474053

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 9.8

---

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟠CVE-2025-7339

Vulnerable Library - on-headers-1.0.2.tgz

Execute a listener when a response is about to write headers

Library home page: https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz

Dependency Hierarchy:

• webpack-dev-server-4.9.0.tgz (Root Library)

  • compression-1.7.4.tgz
    • ❌ on-headers-1.0.2.tgz (Vulnerable Library)

• morgan-1.10.0.tgz (Root Library)

  • ❌ on-headers-1.0.2.tgz (Vulnerable Library)

---

Reachability Analysis

This vulnerability is potentially reachable:

---

Vulnerability Details

on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions "<1.1.0" may result in response headers being inadvertently modified when an array is passed to "response.writeHead()". Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to "1.1.0", but this issue can be worked around by passing an object to "response.writeHead()" rather than an array.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jul 17, 2025 03:47 PM

URL: CVE-2025-7339

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 4.6

---

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :