Description
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.

The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Published: 2026-05-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::Statsd::Lite versions prior to 0.9.0 permit the creation of metric names that contain newline, colon, or pipe characters. These characters are interpreted by the StatsD protocol as delimiters, effectively allowing a single metric string to be parsed as multiple metrics or to manipulate the names of metrics sent to the server.

Affected Systems

The vulnerable component is the Perl module Net::Statsd::Lite distributed by RRWO. Any installation using a version older than 0.9.0 is affected. The fix was released in version 0.9.0 and later.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of < 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the ability to send metrics through the vulnerable library to a StatsD server; by inserting prohibited characters in the metric name the attacker can inject additional statistics metrics or alter existing ones, impacting the integrity of monitoring data but not enabling remote code execution.

Generated by OpenCVE AI on May 19, 2026 at 15:37 UTC.

Remediation

Vendor Solution

Upgrade to Net::Statsd::Lite version 0.9.0 or later.

Vendor Workaround

Apply the patch. Alternatively, validate that all metrics sent to the client based on untrusted data do not contain metric injections.

OpenCVE Recommended Actions

  • Upgrade to Net::Statsd::Lite version 0.9.0 or later
  • Apply the upstream patch available at the provided URL
  • Validate that any metric name derived from untrusted input contains no newline, colon, or pipe characters before submission to the StatsD server

Generated by OpenCVE AI on May 19, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Rrwo
Rrwo net::statsd::lite
Vendors & Products Rrwo
Rrwo net::statsd::lite

Sat, 16 May 2026 21:30:00 +0000

Type Values Removed Values Added
References

Sat, 16 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Title Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections
Weaknesses CWE-93
References

Subscriptions

Rrwo Net::statsd::lite
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-19T12:51:28.945Z

Reserved: 2026-05-16T00:56:00.338Z

Link: CVE-2026-46719

cve-icon Vulnrichment

Updated: 2026-05-16T20:15:59.046Z

cve-icon NVD

Status : Deferred

Published: 2026-05-16T14:16:37.507

Modified: 2026-05-19T14:16:47.137

Link: CVE-2026-46719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:45:08Z

Weaknesses