Description
Net::Statsd versions before 0.13 for Perl allow metric injections.

The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection).
Published: 2026-06-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::Statsd versions older than 0.13 for Perl do not sanitize metric names, allowing newlines, colons, or pipe characters to appear in metric identifiers. In addition, the update_stats and gauge methods accept values without confirming that they are numeric. An attacker who can inject data sent to a StatsD server can therefore add arbitrary metric names and values, potentially flooding the monitoring system, corrupting statistics, or leaking sensitive information if metric names include confidential data. This flaw is a form of input validation weakness identified as CWE‑93.

Affected Systems

The affected product is Net::Statsd for Perl, versions prior to 0.13 released by the COSIMO vendor. No other vendors or versions are explicitly enumerated in the advisory.

Risk and Exploitability

The CVSS score is 5.3, and the EPSS score is unavailable. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a remote network attacker that can send properly formatted packets to the StatsD server. The vulnerability can be exploited without special privileges or authentication, as any source able to reach the StatsD port can craft metric injections. The impact revolves around data integrity and availability of the monitoring system rather than confidentiality.

Generated by OpenCVE AI on June 4, 2026 at 19:23 UTC.

Remediation

Vendor Solution

Upgrade to version 0.13 or later.

Vendor Workaround

Apply the linked pull request. Otherwise ensure only trusted data is submitted to metrics.

OpenCVE Recommended Actions

  • Upgrade to Net::Statsd version 0.13 or later.
  • Apply the linked pull request provided by the vendor to mitigate the issue.
  • Ensure that only trusted data is submitted to the StatsD server; validate metric names and values before sending.

Generated by OpenCVE AI on June 4, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection).
Title Net::Statsd versions before 0.13 for Perl allow metric injections
Weaknesses CWE-93
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-04T17:48:33.606Z

Reserved: 2026-05-17T18:04:31.499Z

Link: CVE-2026-46739

cve-icon Vulnrichment

Updated: 2026-06-04T17:47:17.653Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T17:16:32.663

Modified: 2026-06-04T19:16:29.810

Link: CVE-2026-46739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T19:30:21Z

Weaknesses