Description
Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids.

If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens.
Published: 2026-05-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability causes session identifiers to be logged in plaintext to a Statsd daemon when the communication channel is not secured. The flaw, an instance of improper handling of secrets (CWE-319), allows an attacker to capture session IDs, which can then serve as authentication tokens to impersonate users.

Affected Systems

The issue appears in Catalyst::Plugin::Statsd versions through 0.10.0 and, to a different extent, in Plack::Middleware::Statsd 0.9.0 or later when insecurely configured. The affected vendor is RRWO.

Risk and Exploitability

Because the statistics are transmitted via UDP to a remote host, an attacker who can sniff this traffic can trivially retrieve session IDs. The vulnerability is not listed in KEV and has an EPSS score of <1%, but the potential to gain unauthenticated access through intercepted IDs marks this as a high‑risk security problem, especially if the Statsd endpoint resides on an external network. The vulnerability can be exploited without any specialized privileges by merely observing network traffic to the Statsd server.

Generated by OpenCVE AI on May 12, 2026 at 16:30 UTC.

Remediation

Vendor Solution

Upgrade to version 0.10.0 of later, which will no longer log session ids to statsd. If Plack::Middleware::Statsd is upgraded to 0.9.0 or later and is configured to log some information securely, then session ids will be logged as HMAC signatures instead.

Vendor Workaround

Use a statsd daemon on the same host or through a secure communications channel.

OpenCVE Recommended Actions

  • Upgrade Catalyst::Plugin::Statsd to version 0.10.0 or later to stop logging raw session identifiers.
  • Upgrade Plack::Middleware::Statsd to 0.9.0 or later and enable secure logging so session IDs are transmitted as HMAC signatures.
  • If upgrading is not feasible, run the Statsd daemon on the same host or secure the transport channel with TLS or an isolated network.

Generated by OpenCVE AI on May 12, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Rrwo
Rrwo catalyst::plugin::statsd
Vendors & Products Rrwo
Rrwo catalyst::plugin::statsd

Sun, 10 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens.
Title Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids
Weaknesses CWE-319
References

Subscriptions

Rrwo Catalyst::plugin::statsd
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-12T14:26:17.506Z

Reserved: 2026-05-09T18:57:17.867Z

Link: CVE-2026-45180

cve-icon Vulnrichment

Updated: 2026-05-12T14:25:50.187Z

cve-icon NVD

Status : Deferred

Published: 2026-05-10T21:16:29.170

Modified: 2026-05-12T16:48:58.260

Link: CVE-2026-45180

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T16:45:16Z

Weaknesses