Arbitrary Code Injection

Affecting morgan package, versions <1.9.1

medium severity

Overview

morgan is a HTTP request logger middleware for node.js.

Affected versions of this package are vulnerable to Arbitrary Code Injection. An attacker could use the format parameter to inject arbitrary commands.

Remdiation

Upgrade morgan to version 1.9.1 or higher.

References

Do your applications use this vulnerable package?

Credit
Unknown
CWE
CWE-94
Snyk ID
SNYK-JS-MORGAN-72579
Disclosed
09 Nov, 2018
Published
12 Nov, 2018