Description
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.

The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Published: 2026-05-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::Statsd::Lite versions prior to 0.9.0 permit the creation of metric names that contain newline, colon, or pipe characters. These characters are interpreted by the StatsD protocol as delimiters, effectively allowing a single metric string to be parsed as multiple metrics or to manipulate the names of metrics sent to the server.

Affected Systems

The vulnerable component is the Perl module Net::Statsd::Lite distributed by RRWO. Any installation using a version older than 0.9.0 is affected. The fix was released in version 0.9.0 and later.

Risk and Exploitability

Based on the description, it is inferred that exploitation requires the ability to send metrics through the vulnerable library to a StatsD server. By inserting prohibited characters such as newlines, colons, or pipes into the metric name, the attacker can inject additional metrics or alter existing ones, thereby compromising the integrity of monitoring data. This does not allow remote code execution. The CVSS score of 6.5 indicates moderate severity, while the EPSS score of < 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on June 19, 2026 at 21:33 UTC.

Remediation

Vendor Solution

Upgrade to Net::Statsd::Lite version 0.9.0 or later.


Vendor Workaround

Apply the patch. Alternatively, validate that all metrics sent to the client based on untrusted data do not contain metric injections.


OpenCVE Recommended Actions

  • Upgrade to Net::Statsd::Lite version 0.9.0 or later
  • Apply the upstream patch available at the provided URL
  • Validate that any metric name derived from untrusted input contains no newline, colon, or pipe characters before submission to the StatsD server

Generated by OpenCVE AI on June 19, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-150

Tue, 19 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Rrwo
Rrwo net::statsd::lite
Vendors & Products Rrwo
Rrwo net::statsd::lite

Sat, 16 May 2026 21:30:00 +0000

Type Values Removed Values Added
References

Sat, 16 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Title Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections
Weaknesses CWE-93
References

Subscriptions

Rrwo Net::statsd::lite
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-19T15:28:37.676Z

Reserved: 2026-05-16T00:56:00.338Z

Link: CVE-2026-46719

cve-icon Vulnrichment

Updated: 2026-05-16T20:15:59.046Z

cve-icon NVD

Status : Deferred

Published: 2026-05-16T14:16:37.507

Modified: 2026-06-17T10:53:51.553

Link: CVE-2026-46719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:45:04Z

Weaknesses
  • CWE-150

    Improper Neutralization of Escape, Meta, or Control Sequences

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')