DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-5078: CVE-2026-5078: Log Forging and Injection via :remote-user Token in Morgan Logging Middleware

CVE-2026-5078: Log Forging and Injection via :remote-user Token in Morgan Logging Middleware

Vulnerability ID: CVE-2026-5078
CVSS Score: 5.3
Published: 2026-07-10

CVE-2026-5078 is a log injection vulnerability in Morgan, the widely deployed Node.js HTTP request logging middleware. The vulnerability arises because the ':remote-user' logging token decodes and outputs basic authentication usernames containing control characters, such as Carriage Return (CR) and Line Feed (LF), without sanitization. An unauthenticated attacker can bypass native HTTP header parsers by Base64-encoding CRLF sequences in the Authorization header. When Morgan logs the request, these control characters force newlines in the log stream, enabling log forging, SIEM evasion, and system activity spoofing.

TL;DR

Unauthenticated remote log injection in Morgan middleware (versions 1.2.0-1.10.1) due to improper sanitization of basic authentication credentials. Upgrading to version 1.11.0 remediates the vulnerability.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-117 (Improper Output Neutralization for Logs)
  • Attack Vector: Network (Remote, Unauthenticated)
  • CVSS v3.1 Score: 5.3 (Medium)
  • EPSS Score: 0.00246
  • Exploit Status: Proof-of-Concept
  • CISA KEV Status: Not Listed

Affected Systems

  • Node.js applications using Morgan middleware versions 1.2.0 through 1.10.1 configured with log formats that include the :remote-user token.
  • morgan: >= 1.2.0, <= 1.10.1 (Fixed in: 1.11.0)

Code Analysis

Commit: b3f5d9b

Introduces escapeLogField private utility to escape control characters and backslashes for line-oriented logs, and wraps remote-user token outputs.

Commit: e0e6f17

Release commit for version 1.11.0, including unit test updates to prevent log injection regressions.

Exploit Details

  • GitHub Security Advisory: Proof of concept showcasing unit tests and raw payloads to trigger unescaped carriage returns and log parsing issues.

Mitigation Strategies

  • Upgrade the Morgan middleware to version 1.11.0 or later to ensure automatic escaping of control characters.
  • Modify custom Morgan logging configurations to exclude the :remote-user token if immediate patching is not possible.
  • Deploy Web Application Firewall (WAF) rules to inspect and decode the Authorization: Basic header, blocking requests containing raw CRLF characters.

Remediation Steps:

  1. Identify all Node.js projects utilizing the morgan npm package.
  2. Verify the installed version of morgan using 'npm list morgan' or checking package-lock.json.
  3. Update the dependency to version 1.11.0 or higher by running 'npm install morgan@1.11.0' or 'npm update morgan'.
  4. If unable to update, replace pre-built 'combined' or 'common' log formats with custom strings excluding the ':remote-user' token.
  5. Deploy and test log-monitoring queries to detect escaped sequence signatures 'u0000', 'u001f', or '\r\n' in system logs.

References


Read the full report for CVE-2026-5078 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)