Plack::Middleware::Statsd versions before 0.9.0 transmit user IP addresses to a statsd daemon without any encryption or masking, allowing the raw IPs to be captured by anyone who can observe the network traffic. This vulnerability results in a confidentiality loss of client IP information, potentially enabling profiling or location tracking, but does not provide any code execution or denial of service capabilities. The weakness is classified as CWE‑319, indicating that data is transmitted in the clear.

The issue affects the RRWO Plack::Middleware::Statsd library for Perl in all releases earlier than 0.9.0. The required fix is to install version 0.9.0 or newer, which removes automatic IP logging unless explicitly configured. Updating to the latest release ensures that the IP address is either omitted or replaced with an HMAC‑signed value.

The risk is limited to the confidentiality of client IP addresses. The CVSS score of 5.3 indicates moderate severity. The EPSS score of < 1% suggests that exploitation is unlikely, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is a network eavesdropper who can intercept the UDP or other transport used to send metrics to the statsd daemon. If the channel is not secured, the attack is trivial and requires only visibility on the network path. Mitigation involves upgrading the library, disabling raw IP logging, or configuring the middleware to use a secure transport such as a local Unix socket or an encrypted channel.