Description
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.

DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.

The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)
Published: 2026-06-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DataDog::DogStatsd Perl modules through version 0.07 fail to sanitise input tags used in the event method, permitting the injection of arbitrary metric names, values, and control characters. The flaw manifests as a path injection (CWE‑150) and invalid escape sequence exploitation (CWE‑93). An attacker can corrupt metrics and distort monitoring dashboards, but the available data does not indicate a denial‑of‑service capability.

Affected Systems

All installations of the DataDog::DogStatsd Perl client whose version is 0.07 or earlier are affected. Any environment that uses the event API to accept tags from external or untrusted sources poses a risk.

Risk and Exploitability

The vulnerability is exercised via the event method; an attacker who can supply event tags—through application integration or a network interface feeding tags to DogStatsd—can trigger malicious metric injection. No CVSS score is provided, the EPSS score is unavailable, and the vulnerability is not listed in CISA KEV. The likely attack vector is inferred to be any interface that forwards tags to the DogStatsd client.

Generated by OpenCVE AI on June 5, 2026 at 17:24 UTC.

Remediation

Vendor Workaround

Ensure that metric names, values and tags come from trusted sources or are properly sanitised.

OpenCVE Recommended Actions

  • Ensure that metric names, values and tags come from trusted sources or are properly sanitised.
  • Sanitise all inbound metric names, values, and tags to remove commas, newlines, pipes, and colons before they are submitted to DogStatsd.
  • Restrict the event API to trusted hosts or environments, applying network or application level access controls.
  • Upgrade the DataDog::DogStatsd Perl module to the newest release once a vendor fix is made available.

Generated by OpenCVE AI on June 5, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)
Title DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags
Weaknesses CWE-150
CWE-93
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-05T14:50:12.176Z

Reserved: 2026-06-05T11:42:59.357Z

Link: CVE-2026-11362

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-05T16:16:41.277

Modified: 2026-06-05T17:04:07.863

Link: CVE-2026-11362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T17:30:45Z

Weaknesses