# Log Injection

- ID: javascript-log-injection
- Severity: LOW
- CWE: Log Injection (CWE-117)
- Languages: JavaScript
- Frameworks: nodejs, express, fastify, koa, hapi

## Description

Detects user input flowing to persistent log files without sanitization.

## Detection Message

User input logged without sanitization. Attackers can inject newline characters to forge log entries.

## Remediation

Sanitize user input by removing newline characters before logging.

```javascript
const safe = userInput.replace(/[\r\n]/g, '');
logger.info(safe);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-117/log-injection

## Documentation

[object Object]

## Related Rules

- **Log Injection / Log Forging** [MEDIUM]: 
- **Log Injection / Log Forging** [MEDIUM]: