Skip to content

Commit e0e6f17

Browse files
authored
Release 1.11.0 (#350)
* fix: test case failed on node 0.8 bc buffer.from, hardcode * docs: update HISTORY.md for 1.11.0 * 1.11.0
1 parent b3f5d9b commit e0e6f17

3 files changed

Lines changed: 8 additions & 3 deletions

File tree

HISTORY.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,11 @@
1-
unreleased
1+
1.11.0 / 2026-06-02
22
===================
33
* add `:pid` token
44

5+
Security Fix:
6+
* Escape control characters in `:remote-user` token to prevent log injection
7+
* Fixes [CVE-2026-5078](https://www.cve.org/CVERecord?id=CVE-2026-5078) [GHSA-4vj7-5mj6-jm8m](https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m)
8+
59
1.10.1 / 2025-07-17
610
===================
711

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"name": "morgan",
33
"description": "HTTP request logger middleware for node.js",
4-
"version": "1.10.1",
4+
"version": "1.11.0",
55
"contributors": [
66
"Douglas Christopher Wilson <doug@somethingdoug.com>",
77
"Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)"

test/morgan.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -668,9 +668,10 @@ describe('morgan()', function () {
668668
cb(null, null, line)
669669
})
670670

671+
// 'evil\nuser:x' (literal backslash) in Base64
671672
request(createServer(':remote-user', { stream: stream }))
672673
.get('/')
673-
.set('Authorization', 'Basic ' + Buffer.from('evil\\nuser:x').toString('base64'))
674+
.set('Authorization', 'Basic ZXZpbFxudXNlcjp4')
674675
.expect(200, cb)
675676
})
676677

0 commit comments

Comments
 (0)