Description
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.

DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.

The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)
Published: 2026-06-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DataDog::DogStatsd Perl modules through version 0.07 do not validate the content of tags supplied to the event method. Tags can contain commas, newlines, pipes, and colons, which the module incorrectly accepts and forwards to the DogStatsd daemon. This flaw permits an attacker controlling the tag payload to inject arbitrary metric names and values, potentially corrupting monitoring data and misleading stakeholders.

Affected Systems

All installations of the DataDog::DogStatsd Perl client whose version is 0.07 or earlier are affected. Any environment that uses the event API to accept tags from external or untrusted sources poses a risk.

Risk and Exploitability

The vulnerability is exercised via the event method; an attacker who can supply event tags – for example, through an application that receives external data or through any interface that forwards tags to DogStatsd – can trigger malicious metric injection. The CVSS score is 9.8, the EPSS score is less than 1 %, and the vulnerability is not listed in CISA KEV. The likely attack vector is any exposed interface that allows untrusted tags to be sent to the DogStatsd client.

Generated by OpenCVE AI on June 8, 2026 at 20:53 UTC.

Remediation

Vendor Workaround

Ensure that metric names, values and tags come from trusted sources or are properly sanitised.

OpenCVE Recommended Actions

  • Ensure that metric names, values and tags come from trusted sources or are properly sanitised.
  • Sanitise all inbound metric names, values, and tags to remove commas, newlines, pipes, and colons before they are submitted to DogStatsd.
  • Restrict the event API to trusted hosts or environments, applying network or application level access controls.
  • Upgrade the DataDog::DogStatsd Perl module to the newest release once a vendor fix is made available.

Generated by OpenCVE AI on June 8, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Binary datadog\
CPEs cpe:2.3:a:binary:datadog\:\:dogstatsd:*:*:*:*:*:perl:*:*
Vendors & Products Binary datadog\

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Binary
Binary datadog::dogstatsd
Vendors & Products Binary
Binary datadog::dogstatsd

Fri, 05 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)
Title DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags
Weaknesses CWE-150
CWE-93
References

Subscriptions

Binary Datadog::dogstatsd Datadog\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-08T18:20:09.533Z

Reserved: 2026-06-05T11:42:59.357Z

Link: CVE-2026-11362

cve-icon Vulnrichment

Updated: 2026-06-08T18:19:50.308Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T16:16:41.277

Modified: 2026-06-10T15:01:40.640

Link: CVE-2026-11362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T21:00:14Z

Weaknesses
  • CWE-150

    Improper Neutralization of Escape, Meta, or Control Sequences

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')