Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 244 npm packages depend on morgan (3 direct, 241 indirect)
Ecosystem-wide dependent count for version 1.2.0.
DescriptionCVE.org
Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF bytes to inject forged log lines, breaking the one-request-per-line structure of access logs and enabling log forgery against downstream log consumers. The built-in combined, common, default, and short formats are affected, as well as any custom format that references :remote-user. Affected versions: morgan 1.2.0 through 1.10.1. Patches: upgrade to morgan 1.11.0, which neutralizes control characters in the :remote-user token output. Workarounds: use a custom format string that does not include :remote-user.
AnalysisAI
Log injection in morgan Node.js middleware versions 1.2.0 through 1.10.1 allows unauthenticated remote attackers to forge access log entries by embedding CR or LF control characters in the Basic authentication username of the Authorization request header. The :remote-user format token writes this value to the log stream without sanitization, breaking the one-request-per-line log structure and enabling attackers to fabricate arbitrary log lines visible to downstream consumers such as SIEMs or log aggregators. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the zero-prerequisite network attack vector and widespread use of morgan across the Node.js/Express ecosystem make this a meaningful integrity risk for security monitoring pipelines.
Technical ContextAI
morgan is a widely deployed HTTP request logging middleware for Node.js, commonly used with Express.js. It supports configurable format strings composed of tokens - :remote-user being one that extracts the username component from a parsed Basic Authentication Authorization header. The root cause is CWE-117 (Improper Output Neutralization for Logs): user-controlled input is written to the log stream without stripping or escaping newline characters (CR \r, LF \n), which are structural delimiters in line-oriented log formats. This allows a single HTTP request to produce multiple log lines, with the injected lines appearing indistinguishable from legitimate access log entries. All four built-in morgan format strings - combined, common, default, and short - reference :remote-user and are therefore affected. Any user-defined custom format that includes :remote-user is equally vulnerable. The affected CPE is cpe:2.3:a:morgan:morgan:*:*:*:*:*:*:*:*, with the authoritative version range of 1.2.0-1.10.1 established by the OpenJS Foundation advisory.
RemediationAI
Upgrade morgan to version 1.11.0, the vendor-released patch that neutralizes control characters in :remote-user token output before writing to the log stream. This is documented in the OpenJS Foundation advisory at https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m and the CNA page at https://cna.openjsf.org/security-advisories.html. If an immediate upgrade is not possible, switch to a custom morgan format string that omits the :remote-user token entirely - the trade-off is loss of authenticated username capture in access logs, which may reduce visibility for authentication auditing and forensics. An additional compensating control is to configure a reverse proxy or WAF to reject or strip Authorization headers containing raw CR or LF bytes before they reach the Node.js process; this blocks the injection vector at the perimeter but requires careful regex or byte-inspection rules to avoid breaking legitimate Basic auth flows. The upgrade path has no known side effects.
Same weakness CWE-117 – Improper Output Neutralization for Logs
View allSame technique Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34067
GHSA-4vj7-5mj6-jm8m