diff --git a/HISTORY.md b/HISTORY.md
index 8426f14..aae9af3 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,3 +1,9 @@
+unreleased
+==========
+
+  * deps: on-headers@~1.1.0
+    - Fix [CVE-2025-7339](https://www.cve.org/CVERecord?id=CVE-2025-7339) ([GHSA-76c9-3jph-rj3q](https://github.com/expressjs/on-headers/security/advisories/GHSA-76c9-3jph-rj3q))
+
 1.9.0 / 2017-05-16
 ==================
 
diff --git a/package.json b/package.json
index 021c4d0..ac8446b 100644
--- a/package.json
+++ b/package.json
@@ -12,7 +12,7 @@
     "http-errors": "~1.6.1",
     "ms": "2.0.0",
     "on-finished": "~2.3.0",
-    "on-headers": "~1.0.1"
+    "on-headers": "~1.1.0"
   },
   "devDependencies": {
     "eslint": "3.19.0",