Advisories for Npm/Morgan package

2026

morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

Morgan's :remote-user token extracts the Basic auth username from the Authorization header and writes it to the log stream without neutralizing control characters. An attacker can send a crafted Authorization: Basic header containing CR/LF characters to inject forged log lines, corrupting the one-request-per-line structure of access logs. The built-in combined, common, default, and short formats are affected, as well as any custom format that includes :remote-user.

2019