org.webjars.npm:morgan@1.5.3

latest version

1.9.1

first published

9 years ago

latest version published

7 years ago

licenses detected

MIT
[1.5.3,)

package registry

View on Maven Central Repository

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:morgan package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Improper Output Neutralization for Logs org.webjars.npm:morgan is a HTTP request logger middleware for node.js. Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the `:remote-user` token, which extracts the Basic auth username from the Authorization header and writes it to the log stream without neutralizing control characters. An attacker can inject forged log lines by sending crafted Authorization headers containing CR or LF bytes, potentially breaking the one-request-per-line structure of access logs and misleading downstream log consumers. How to fix Improper Output Neutralization for Logs? A fix was pushed into the `master` branch but not yet published.	[0,)
M Arbitrary Code Injection org.webjars.npm:morgan is a HTTP request logger middleware for node.js. Affected versions of this package are vulnerable to Arbitrary Code Injection. An attacker could use the format parameter to inject arbitrary commands. How to fix Arbitrary Code Injection? Upgrade `org.webjars.npm:morgan` to version 1.9.1 or higher.	[,1.9.1)

Improper Output Neutralization for Logs

org.webjars.npm:morgan is a HTTP request logger middleware for node.js.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the :remote-user token, which extracts the Basic auth username from the Authorization header and writes it to the log stream without neutralizing control characters. An attacker can inject forged log lines by sending crafted Authorization headers containing CR or LF bytes, potentially breaking the one-request-per-line structure of access logs and misleading downstream log consumers.

How to fix Improper Output Neutralization for Logs?

A fix was pushed into the master branch but not yet published.

[0,)

Arbitrary Code Injection

org.webjars.npm:morgan is a HTTP request logger middleware for node.js.

Affected versions of this package are vulnerable to Arbitrary Code Injection. An attacker could use the format parameter to inject arbitrary commands.

How to fix Arbitrary Code Injection?

Upgrade org.webjars.npm:morgan to version 1.9.1 or higher.

[,1.9.1)

Go back to all versions of this package