diff --git a/HISTORY.md b/HISTORY.md
index 32654a1..15419d3 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,3 +1,9 @@
+unreleased
+==========
+
+  * deps: on-headers@~1.1.0
+    - Fix [CVE-2025-7339](https://www.cve.org/CVERecord?id=CVE-2025-7339) ([GHSA-76c9-3jph-rj3q](https://github.com/expressjs/on-headers/security/advisories/GHSA-76c9-3jph-rj3q))
+
 2.1.0 / 2024-01-23
 ==================
 
diff --git a/package.json b/package.json
index cd3245a..dd22ae6 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,7 @@
   "dependencies": {
     "cookies": "0.9.1",
     "debug": "3.2.7",
-    "on-headers": "~1.0.2",
+    "on-headers": "~1.1.0",
     "safe-buffer": "5.2.1"
   },
   "devDependencies": {