Description
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.

The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Published: 2026-05-16
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::Statsd::Lite versions prior to 0.9.0 allow attackers to inject arbitrary statistics metrics. The library does not validate metric names for newlines, colons, or pipe characters, so an attacker can craft metric strings that appear as multiple distinct metrics or alter existing ones. This flaw can distort monitoring data, potentially leading to misdiagnosis, false alarms, or resource exhaustion if metrics are logged or processed excessively.

Affected Systems

The vulnerable component is the Perl module Net::Statsd::Lite, distributed by RRWO. Any installation using a version older than 0.9.0 is affected. The fix was released in version 0.9.0 and later.

Risk and Exploitability

No CVSS score is provided and the EPSS score is unavailable, but the vulnerability is listed as not included in CISA's KEV catalog. Exploitation requires the ability to send metrics through the vulnerable library to a StatsD server, which is typically remote. Attackers can inject new metric entries or alter existing ones by including newline, colon, or pipe characters in the metric name. While this does not enable remote code execution, it can lead to integrity and availability issues in monitoring systems.

Generated by OpenCVE AI on May 16, 2026 at 14:35 UTC.

Remediation

Vendor Solution

Upgrade to Net::Statsd::Lite version 0.9.0 or later.

Vendor Workaround

Apply the patch. Alternatively, validate that all metrics sent to the client based on untrusted data do not contain metric injections.

OpenCVE Recommended Actions

  • Upgrade to Net::Statsd::Lite version 0.9.0 or later.
  • If an upgrade is not immediately possible, apply the upstream patch available at https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch.
  • Introduce runtime validation to ensure that any metric name derived from untrusted input contains no newline, colon, or pipe characters before submission to the StatsD server.

Generated by OpenCVE AI on May 16, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 21:30:00 +0000

Type Values Removed Values Added
References

Sat, 16 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Title Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections
Weaknesses CWE-93
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-16T20:15:59.046Z

Reserved: 2026-05-16T00:56:00.338Z

Link: CVE-2026-46719

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T14:16:37.507

Modified: 2026-05-16T21:16:23.957

Link: CVE-2026-46719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T14:45:25Z

Weaknesses