Skip to main content

morgan CVE-2026-5078

| EUVDEUVD-2026-34067 MEDIUM
Improper Output Neutralization for Logs (CWE-117)
2026-06-03 openjs GHSA-4vj7-5mj6-jm8m
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 03, 2026 - 07:45 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 244 npm packages depend on morgan (3 direct, 241 indirect)

Ecosystem-wide dependent count for version 1.2.0.

DescriptionCVE.org

Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF bytes to inject forged log lines, breaking the one-request-per-line structure of access logs and enabling log forgery against downstream log consumers. The built-in combined, common, default, and short formats are affected, as well as any custom format that references :remote-user. Affected versions: morgan 1.2.0 through 1.10.1. Patches: upgrade to morgan 1.11.0, which neutralizes control characters in the :remote-user token output. Workarounds: use a custom format string that does not include :remote-user.

AnalysisAI

Log injection in morgan Node.js middleware versions 1.2.0 through 1.10.1 allows unauthenticated remote attackers to forge access log entries by embedding CR or LF control characters in the Basic authentication username of the Authorization request header. The :remote-user format token writes this value to the log stream without sanitization, breaking the one-request-per-line log structure and enabling attackers to fabricate arbitrary log lines visible to downstream consumers such as SIEMs or log aggregators. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the zero-prerequisite network attack vector and widespread use of morgan across the Node.js/Express ecosystem make this a meaningful integrity risk for security monitoring pipelines.

Technical ContextAI

morgan is a widely deployed HTTP request logging middleware for Node.js, commonly used with Express.js. It supports configurable format strings composed of tokens - :remote-user being one that extracts the username component from a parsed Basic Authentication Authorization header. The root cause is CWE-117 (Improper Output Neutralization for Logs): user-controlled input is written to the log stream without stripping or escaping newline characters (CR \r, LF \n), which are structural delimiters in line-oriented log formats. This allows a single HTTP request to produce multiple log lines, with the injected lines appearing indistinguishable from legitimate access log entries. All four built-in morgan format strings - combined, common, default, and short - reference :remote-user and are therefore affected. Any user-defined custom format that includes :remote-user is equally vulnerable. The affected CPE is cpe:2.3:a:morgan:morgan:*:*:*:*:*:*:*:*, with the authoritative version range of 1.2.0-1.10.1 established by the OpenJS Foundation advisory.

RemediationAI

Upgrade morgan to version 1.11.0, the vendor-released patch that neutralizes control characters in :remote-user token output before writing to the log stream. This is documented in the OpenJS Foundation advisory at https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m and the CNA page at https://cna.openjsf.org/security-advisories.html. If an immediate upgrade is not possible, switch to a custom morgan format string that omits the :remote-user token entirely - the trade-off is loss of authenticated username capture in access logs, which may reduce visibility for authentication auditing and forensics. An additional compensating control is to configure a reverse proxy or WAF to reject or strip Authorization headers containing raw CR or LF bytes before they reach the Node.js process; this blocks the injection vector at the perimeter but requires careful regex or byte-inspection rules to avoid breaking legitimate Basic auth flows. The upgrade path has no known side effects.

Vendor StatusVendor

Share

CVE-2026-5078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy