LogTape security updates: 1.3.11, 2.0.14, and 2.1.5

[dahlia]

If you use @logtape/syslog, update to a patched release now. CVE-2026-54511 affects structured data formatting in the syslog sink when includeStructuredData is enabled. This option is off by default, but deployments that enable it and include attacker-controlled log properties could emit syslog messages that downstream collectors treat as forged records.

The vulnerable code is in escapeStructuredDataValue() in packages/syslog/src/syslog.ts. It escaped \, ", and ] for RFC 5424 structured data values, but it did not neutralize newline, carriage return, NUL, or other C0 control characters. TCP syslog deployments commonly use newline-delimited framing. If a structured data value contained a literal newline followed by bytes that look like an RFC 5424 header, a downstream collector could accept the second line as a separate syslog record.

There was a second formatting issue in the same structured data path. Structured data parameter keys were inserted without checking the RFC 5424 SD-NAME grammar. Developer-defined property names are usually safe, but applications sometimes forward request headers or arbitrary metadata as log properties. In that case, keys containing spaces, =, ", ], control characters, or overlength names could produce malformed structured data.

The fix changes @logtape/syslog to replace C0 control characters in structured data values with printable #NNN sequences before the syslog message is built. It also skips log properties whose keys are not valid SD-NAME values, which means 1 to 32 printable US-ASCII characters excluding space, =, ], and ".

Current patched releases are 1.3.11, 2.0.14, and 2.1.5. The GitHub Security Advisory is GHSA-8h6h-x5pq-56fq, and the CVE ID is CVE-2026-54511.

Update @logtape/syslog:

npm  update  @logtape/syslog
yarn upgrade @logtape/syslog
pnpm update  @logtape/syslog
bun  update  @logtape/syslog
deno update  @logtape/syslog

After updating, redeploy any service that sends logs through the syslog sink. If you do not use @logtape/syslog, or if you use it without includeStructuredData, this issue does not affect that logging path.

Thanks to the reporter for responsible disclosure.

If anything is unclear, ask below.