morgan is a Node.js logging middleware that records HTTP request details. The :remote-user token extracts the username from the Basic Authorization header and writes it to the log stream without neutralizing control characters. An attacker who can send a request with a crafted Authorization header containing CR or LF bytes can inject arbitrary log lines, breaking the one‑request‑per‑line convention and enabling forged entries for downstream log consumers. This flaw, classified as CWE‑117, allows log forgery that could be used to obscure real traffic or mislead monitoring tools, though it does not grant direct code execution or privilege escalation.

Affected versions are morgan 1.2.0 through 1.10.1. Any Node.js application that relies on the built‑in combined, common, default, or short log formats, or any custom format that references :remote-user, is vulnerable. The issue exists regardless of the underlying server framework, because it is tied to the morgan middleware itself.

The vulnerability can be exploited remotely by sending a specially crafted HTTP request over the network; the attacker does not need authentication or elevated privileges. The CVSS base score of 5.3 indicates moderate risk, and there is no EPSS score available, suggesting limited current exploitation data. The flaw is not listed as a Known Exploited Vulnerability, but the ability to inject arbitrary log entries demonstrates that an unauthenticated attacker could tamper with log integrity for any exposed web application that uses the vulnerable version of morgan.