Skip to content

fix: sanitize user-controlled tokens to prevent log forging (CWE-117)#361

Open
muhamedfazalps wants to merge 1 commit into
expressjs:masterfrom
muhamedfazalps:fix/log-forging-vulnerability
Open

fix: sanitize user-controlled tokens to prevent log forging (CWE-117)#361
muhamedfazalps wants to merge 1 commit into
expressjs:masterfrom
muhamedfazalps:fix/log-forging-vulnerability

Conversation

@muhamedfazalps

Copy link
Copy Markdown

Problem

Fixes CVE-2026-5078

User-controlled HTTP tokens (URL, User-Agent, Referrer, Request Headers, Remote Address) were not sanitized before being written to log output. This allows CRLF injection (\r``\n) to forge log entries.

Example Attack

GET /attacker HTTP/1.1\r\nX-Injected: fake-admin-request

This would create two log lines, making the second line appear as a legitimate request.

Solution

  1. Apply escapeLogField() to all user-controlled tokens (not just :remote-addr)
  2. Add sanitizeLogLine() as defense-in-depth to strip \r, \n, \x00 from final output

Tokens now sanitized:

  • :url - wraps req.originalUrl || req.url
  • :method - wraps req.method
  • :user-agent - wraps req.headers['user-agent']
  • :referrer - wraps req.headers.referer
  • :req - wraps req.headers[field.toLowerCase()]
  • :remote-addr - wraps getip(req)
  • :http-version - wraps version string

Testing

Added tests for CRLF injection prevention in :url, :user-agent, :req, and :remote-addr tokens.


If this was helpful, consider supporting: https://buymeacoffee.com/muhamedfazalps

Apply escapeLogField() to all user-controlled HTTP tokens:
- :url, :method, :user-agent, :referrer, :req, :remote-addr
- :http-version

Add sanitizeLogLine() as defense-in-depth to strip \r, \n, \x00
from final output before writing to stream.

Fixes CVE-2026-5078
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant