Morgan (Nodejs), Log Forgery via Unneutralized Control Characters, CVE-2026-5078 (Medium) -DC-Jul2026-853

Listen to this Post

How CVE-2026-5078 Works

Morgan is a popular HTTP request logging middleware for Node.js applications. It provides various pre-defined log formats (e.g., combined, common, default, short) and allows custom formats through token-based string interpolation. One such token is :remote-user, which is designed to extract and log the username from the `Authorization: Basic` header sent by the client.
The vulnerability stems from the fact that prior to version 1.11.0, Morgan would write the value of the `:remote-user` token directly to the log stream without any sanitization or neutralization of control characters. Specifically, the token extracts the Base64-decoded credentials from the `Authorization` header and returns the username portion as-is.
An unauthenticated attacker can exploit this by crafting an `Authorization: Basic` header that includes Carriage Return (CR, \r) and Line Feed (LF, \n) characters within the username string. For example, a username like `evil\nuser:x` can be Base64-encoded and sent in the header. When Morgan processes this request, it logs the username including the newline characters, effectively injecting a new log line into the access log file.
This log injection breaks the assumption that each HTTP request corresponds to exactly one line in the access log. By carefully controlling the injected content, an attacker can forge arbitrary log entries, potentially misleading administrators, evading detection, or poisoning logs consumed by downstream security information and event management (SIEM) systems.
All built-in formats that include `:remote-user` are affected, as is any custom format that references this token. The vulnerability affects Morgan versions 1.2.0 through 1.10.1. The fix in version 1.11.0 neutralizes control characters by escaping them, ensuring that the `:remote-user` value cannot break the log line structure. As a workaround, developers can use a custom format string that omits the `:remote-user` token.

DailyCVE Form:

Platform: ……. Node.js / npm
Version: …….. 1.2.0 – 1.10.1
Vulnerability :.. Log Forgery (CWE-117)
Severity: ……. 5.3 (Medium, CVSS:3.1)
date: ……….. June 2, 2026 (published)

Prediction: ….. July 2026 (patch available)

What Undercode Say

Analytics:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Bash Commands & Codes:

To check your current Morgan version:

npm list morgan

To update to the patched version:

npm install [email protected]

To verify the update:

npm list morgan
Should output [email protected]

Exploit:

An attacker can send a crafted `Authorization: Basic` header containing CR/LF characters. For example, using curl:

Encode 'evil\nuser:x' in Base64
echo -n 'evil\nuser:x' | base64
Output: ZXZpbFxudXNlcjp4
Send request with forged header
curl -H "Authorization: Basic ZXZpbFxudXNlcjp4" http://target-app/

This injects a newline into the log, creating a forged log entry.

Protection:

  • Upgrade: Immediately upgrade to Morgan version 1.11.0 or later.
  • Workaround: If upgrading is not immediately possible, modify your Morgan format string to exclude the `:remote-user` token.
  • Input Validation: As a defense-in-depth measure, consider sanitizing or validating the `Authorization` header before it reaches the logging middleware.
  • Log Monitoring: Implement log monitoring and alerting for anomalous log entries (e.g., unexpected newlines or control characters).

Impact:

Successful exploitation allows an attacker to inject arbitrary log lines, corrupting the integrity of access logs. This can lead to:
– Log Forging: Injection of false log entries to mislead administrators or hide malicious activity.
– Evasion: Bypassing security controls that rely on log analysis for intrusion detection.
– SIEM Poisoning: Corrupting data fed to downstream log consumers, potentially causing false positives or missing alerts.
– Compliance Violations: Tampering with audit trails required for regulatory compliance.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top