Morgan Log Forging Vulnerability via Unneutralized Control Characters in Authorization Header

A log forging vulnerability has been identified in the Morgan logging middleware, specifically in versions 1.2.0 through 1.10.1. The issue arises because the ':remote-user' token extracts the Basic authentication username from the Authorization header and logs it without neutralizing control characters. This flaw allows an unauthenticated attacker to send a crafted Authorization header containing CR or LF bytes, injecting forged log lines that disrupt the standard one-request-per-line format of access logs. The vulnerability affects the built-in 'combined', 'common', 'default', and 'short' log formats, as well as any custom format that includes ':remote-user'.

Impact

Exploitation of this vulnerability leads to log forging, where injected log lines disrupt the normal log format and can be used to deceive downstream log consumers.

Remediation

Users are advised to upgrade to Morgan version 1.11.0 or later, which addresses the vulnerability by neutralizing control characters in the ':remote-user' token output. Alternatively, a custom format string that excludes ':remote-user' can be used.