Update dependency morgan to v1.11.0 [SECURITY]#9779
Open
backstage-goalie[bot] wants to merge 1 commit into
Open
Update dependency morgan to v1.11.0 [SECURITY]#9779backstage-goalie[bot] wants to merge 1 commit into
backstage-goalie[bot] wants to merge 1 commit into
Conversation
01a2b8a to
42a186d
Compare
42a186d to
55b1204
Compare
55b1204 to
5d89bae
Compare
5d89bae to
0d9fe8b
Compare
0d9fe8b to
6f41398
Compare
6f41398 to
fbd511c
Compare
fbd511c to
1b8ad0f
Compare
1b8ad0f to
b7270b1
Compare
b7270b1 to
341d0d7
Compare
341d0d7 to
ab22898
Compare
Signed-off-by: Renovate Bot <bot@renovateapp.com>
ab22898 to
d8562b4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.10.0→1.11.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
CVE-2026-5078 / GHSA-4vj7-5mj6-jm8m
More information
Details
Impact
Morgan's
:remote-usertoken extracts the Basic auth username from theAuthorizationheader and writes it to the log stream without neutralizing control characters. An attacker can send a craftedAuthorization: Basicheader containing CR/LF characters to inject forged log lines, corrupting the one-request-per-line structure of access logs.The built-in
combined,common,default, andshortformats are affected, as well as any custom format that includes:remote-user.Patches
Users should upgrade to version 1.11.0.
Workarounds
Use a custom format string that does not include
:remote-user.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
expressjs/morgan (morgan)
v1.11.0Compare Source
===================
:pidtokenSecurity Fix:
:remote-usertoken to prevent log injectionv1.10.1Compare Source
===================
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.