CVE-2026-5078

MEDIUM 5.3

morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF bytes to inject forged log lines, breaking the one-request-per-line structure of access logs and enabling log forgery against downstream log consumers. The built-in combined, common, default, and short formats are affected, as well as any custom format that references :remote-user. Affected versions: morgan 1.2.0 through 1.10.1. Patches: upgrade to morgan 1.11.0, which neutralizes control characters in the :remote-user token output. Workarounds: use a custom format string that does not include :remote-user.

CWE	CWE-117
Vendor	morgan
Product	morgan
Published	Jun 3, 2026
Last Updated	Jun 3, 2026

Stay Ahead of the Next One

Get instant alerts for morgan morgan

Be the first to know when new medium vulnerabilities affecting morgan morgan are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

morgan / morgan

1.2.0 ≤ 1.10.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

🔍 Yuki Matsuhashi Ulises Gascón Jon Church