VDB
KO
MEDIUM 5.3

GHSA-4vj7-5mj6-jm8m

morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

Details

### Impact

Morgan's `:remote-user` token extracts the Basic auth username from the `Authorization` header and writes it to the log stream without neutralizing control characters. An attacker can send a crafted `Authorization: Basic` header containing CR/LF characters to inject forged log lines, corrupting the one-request-per-line structure of access logs.

The built-in `combined`, `common`, `default`, and `short` formats are affected, as well as any custom format that includes `:remote-user`.

### Patches

Users should upgrade to version 1.11.0.

### Workarounds

Use a custom format string that does not include `:remote-user`.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / morgan
Introduced in: 1.2.0 Fixed in: 1.11.0
Fix npm install morgan@1.11.0

References