Jon Church

**Name of the Vulnerable Software and Affected Versions** morgan versions 1.2.0 through 1.10.1 **Description** The logging middleware fails to neutralize control characters when the `:remote-user` token extracts the Basic auth username from the Authorization request header. An unauthenticated attacker can send a crafted Authorization Basic header containing Carriage Return (CR) or Line Feed (LF) bytes to inject forged log lines. This breaks the one-request-per-line structure of access logs, enabling log forgery against downstream log consumers. The issue affects the built-in combined, common, default, and short formats, as well as any custom format referencing `:remote-user`. **Recommendations** Upgrade to version 1.11.0. As a temporary workaround, use a custom format string that does not include `:remote-user`.