The module Mojolicious::Plugin::Statsd through version 0.04 fails to validate metric names and values, allowing characters such as newlines, colons, or pipes. These unvalidated symbols let an attacker inject additional Statsd metrics by crafting metric strings from untrusted sources. The injected metrics appear as if they originated from the legitimate application, which could lead to misleading monitoring data, confusion, or abuse of the monitoring system. This vulnerability represents an input validation weakness (CWE-93).

The affected product is the Perl module Mojolicious::Plugin::Statsd, authored by RRWO. Any installation using version 0.04 or earlier is vulnerable. The CVE notes that upgrade to version 0.06 or later removes the issue by separating the Statsd client and defaulting to a Net::Statsd::Tiny implementation that includes a similar fix. Users of the older module should consult the vendor’s release notes for version 0.06 and above.

The CVE is not listed in the CISA KEV catalog, and the EPSS score is < 1%, indicating a low probability of exploitation at the time of this analysis. The CVSS score of 5.3 reflects moderate severity. The attack vector is inferred to arise from any untrusted input that is passed to the plugin to emit metrics. If the application allows remote users to supply metric data, the vulnerability could be triggered remotely. While the impact does not provide direct code execution, manipulating monitoring data can facilitate denial‑of‑service or obscure real issues, warranting prompt remediation.