diff --git a/HISTORY.md b/HISTORY.md
index 1dcedcc5..401ffbd5 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,7 +1,8 @@
 unpublished
 ==========
   * deps: mocha@10.8.2
-
+  * deps: on-headers@~1.1.0
+    - Fix [CVE-2025-7339](https://www.cve.org/CVERecord?id=CVE-2025-7339) ([GHSA-76c9-3jph-rj3q](https://github.com/expressjs/on-headers/security/advisories/GHSA-76c9-3jph-rj3q))
 
 1.18.1 / 2024-10-08
 ==========
diff --git a/package.json b/package.json
index b4978a27..f03896af 100644
--- a/package.json
+++ b/package.json
@@ -14,7 +14,7 @@
     "cookie-signature": "1.0.7",
     "debug": "2.6.9",
     "depd": "~2.0.0",
-    "on-headers": "~1.0.2",
+    "on-headers": "~1.1.0",
     "parseurl": "~1.3.3",
     "safe-buffer": "5.2.1",
     "uid-safe": "~2.1.5"