From b0618642ef95abee65cfbadf7a9a42447621526d Mon Sep 17 00:00:00 2001 From: Jon Church Date: Tue, 2 Jun 2026 14:31:32 -0400 Subject: [PATCH 1/3] fix: test case failed on node 0.8 bc buffer.from, hardcode --- test/morgan.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/morgan.js b/test/morgan.js index 287d9e0..85d3b9a 100644 --- a/test/morgan.js +++ b/test/morgan.js @@ -668,9 +668,10 @@ describe('morgan()', function () { cb(null, null, line) }) + // 'evil\nuser:x' (literal backslash) in Base64 request(createServer(':remote-user', { stream: stream })) .get('/') - .set('Authorization', 'Basic ' + Buffer.from('evil\\nuser:x').toString('base64')) + .set('Authorization', 'Basic ZXZpbFxudXNlcjp4') .expect(200, cb) }) From 0a501951aef743c0cb2154559fd669edb5cdd6d9 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Tue, 2 Jun 2026 14:33:17 -0400 Subject: [PATCH 2/3] docs: update HISTORY.md for 1.11.0 --- HISTORY.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index d6b9e5a..656c549 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,7 +1,11 @@ -unreleased +1.11.0 / 2026-06-02 =================== * add `:pid` token + Security Fix: + * Escape control characters in `:remote-user` token to prevent log injection + * Fixes [CVE-2026-5078](https://www.cve.org/CVERecord?id=CVE-2026-5078) [GHSA-4vj7-5mj6-jm8m](https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m) + 1.10.1 / 2025-07-17 =================== From 37e9603841399fb873688ab1d66c208c2059c973 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Tue, 2 Jun 2026 14:33:37 -0400 Subject: [PATCH 3/3] 1.11.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d365bba..5bcce9e 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "morgan", "description": "HTTP request logger middleware for node.js", - "version": "1.10.1", + "version": "1.11.0", "contributors": [ "Douglas Christopher Wilson ", "Jonathan Ong (http://jongleberry.com)"