A CRLF injection vulnerability in the morgan HTTP request logger for Node.js, tracked as CVE-2026-5078, allows attackers to inject arbitrary log entries by supplying crafted Basic authentication usernames. morgan is one of the most widely used HTTP logging middlewares in the Node.js ecosystem, with millions of weekly downloads.
What Is the Vulnerability?
CVE-2026-5078 exists because morgan’s :remote-user token extracts the Basic auth username from the Authorization request header and writes it directly to the log stream without any sanitisation or neutralisation of special characters. An attacker can supply a crafted username containing CRLF sequences, which are written verbatim into the application log, allowing log entry injection or log forging.
- CVSS v3.1 Score: 8.1 (High)
- CWE: CWE-117 (Improper Output Neutralization for Logs)
Which Versions Are Affected?
- morgan: all versions prior to the patched release
What Is the Fix?
Update morgan to the latest version. The fix sanitises the :remote-user token output to strip CRLF characters before writing to the log stream.
Recommendations
Update morgan in all Node.js applications. morgan is a transitive dependency in many Express.js applications — check your dependency tree. Log injection can be used to forge audit trail entries, inject malicious content into log analysis tools, and bypass log-based security monitoring.
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.
