Description
Etsy::StatsD versions through 1.002002 for Perl allow metric injections.

The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections.
Published: 2026-06-04
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Etsy::StatsD libraries for Perl versions up to 1.002002 do not sanitize metric names and values for newlines, colons, or pipe characters, allowing an attacker to inject additional metrics into the StatsD stream. If untrusted data is submitted, the library will interpret injected delimiters as separate metrics, potentially leading to inaccurate monitoring data or denial of service through excessive metric creation.

Affected Systems

The vulnerability affects the SANBEG Etsy::StatsD Perl library, specifically all releases through version 1.002002. An unreleased development build also contains gauge and set methods that lack protection against injection, meaning any environment using the current or older releases is susceptible.

Risk and Exploitability

The CVSS score of 7.5 indicates significant severity, but the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating limited exposure data. However, if an application can cause the library to process inputs originating from untrusted sources, an attacker can inject arbitrary metrics. The attack vector is likely through any input that is forwarded to the StatsD client, whether from user traffic, external services, or internal data feeds. Exploitation requires only the ability to influence metric submissions, a condition that may arise in many server or monitoring setups that forward untrusted data to Etsy::StatsD.

Generated by OpenCVE AI on June 4, 2026 at 19:22 UTC.

Remediation

Vendor Workaround

Ensure only trusted data is submitted to metrics.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Etsy::StatsD if a newer release that sanitizes metric input is available.
  • Strictly limit the data sent to the StatsD client to trusted sources only, as recommended in the vendor workaround.
  • Validate metric names and values before they are passed to Etsy::StatsD, ensuring no newlines, colons, or pipe characters are present.

Generated by OpenCVE AI on June 4, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections.
Title Etsy::StatsD versions through 1.002002 for Perl allow metric injections
Weaknesses CWE-93
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-04T17:41:32.496Z

Reserved: 2026-05-17T18:04:31.500Z

Link: CVE-2026-46741

cve-icon Vulnrichment

Updated: 2026-06-04T17:39:30.765Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T17:16:32.790

Modified: 2026-06-04T19:16:29.987

Link: CVE-2026-46741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T19:30:21Z

Weaknesses