GHSA-4vj7-5mj6-jm8m
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Details
### Impact
Morgan's `:remote-user` token extracts the Basic auth username from the `Authorization` header and writes it to the log stream without neutralizing control characters. An attacker can send a crafted `Authorization: Basic` header containing CR/LF characters to inject forged log lines, corrupting the one-request-per-line structure of access logs.
The built-in `combined`, `common`, `default`, and `short` formats are affected, as well as any custom format that includes `:remote-user`.
### Patches
Users should upgrade to version 1.11.0.
### Workarounds
Use a custom format string that does not include `:remote-user`.
Are you affected?
Enter the version of the package you're using.