Description
Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses.

If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked.

Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.
Published: 2026-05-10
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Plack::Middleware::Statsd versions before 0.9.0 send user IP addresses to a statsd daemon without protecting the data. If the statistics service is reached over an unsecure network path, such as UDP packets sent to a host on another network, the raw IP addresses are exposed to anyone who can observe or intercept the traffic. This directly compromises user anonymity and can facilitate profiling or location attacks.

Affected Systems

The vulnerability affects the RRWO Plack::Middleware::Statsd library for Perl in all releases prior to version 0.9.0. The resolution is to install version 0.9.0 or later; newer releases drop the automatic logging of IP addresses and optionally log an HMAC of the address when enabled.

Risk and Exploitability

The risk is confined to the confidentiality of client IP addresses; there is no denial of service or code execution aspect. No CVSS score is available in the advisory, but the vulnerability falls under CWE‑319, indicating the data is transmitted in the clear. The EPSS score is not provided, suggesting low or unspecified exploitation probability, and the issue is not listed in the CISA KEV catalog. Attackers can play the role of an eavesdropper on the network path to the statsd daemon. If the channel is not secured, the attack is trivial, requiring only network visibility. The best mechanism to mitigate is to update the library or reconfigure the data collection path to use a secure channel or local socket, thereby preventing exposure of credentials.

Generated by OpenCVE AI on May 10, 2026 at 20:20 UTC.

Remediation

Vendor Solution

Upgrade to version 0.9.0 or later.

Vendor Workaround

Use a statsd daemon on the same host or through a secure communications channel.

OpenCVE Recommended Actions

  • Upgrade RRWO Plack::Middleware::Statsd to version 0.9.0 or newer
  • Configure the middleware to disable logging of IP addresses or to use an HMAC signature of the IP
  • Route the metrics data over a secure channel, such as a local Unix socket or encrypted transport, to eliminate exposure over the network

Generated by OpenCVE AI on May 10, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 22:30:00 +0000

Type Values Removed Values Added
References

Sun, 10 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.
Title Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses
Weaknesses CWE-319
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-10T21:17:03.221Z

Reserved: 2026-05-09T18:57:17.867Z

Link: CVE-2026-45179

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T20:16:28.967

Modified: 2026-05-10T22:16:06.967

Link: CVE-2026-45179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T20:30:19Z

Weaknesses