Description
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.

The statsd protocol (and extensions) allow mutiple metrics, separated by newlines, to be sent per packet.

The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.

Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
Published: 2026-06-10
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Metrics::Any::Adapter::Statsd, a Perl module that forwards statistics to a StatsD server, lacks validation for metric names and values in its send routine. Input strings containing newlines, colons, or pipe characters are accepted unchanged, allowing an attacker to inject additional metrics or control commands into the StatsD payload. This injection flaw is classified as CWE‑93 (Improper Control of a Resource Through Input) and CWE‑150 (Data Transfer between Untrusted Domains). The consequence is that the integrity of monitoring data can be compromised, dashboards may display false information, alerts could be triggered inappropriately, and the StatsD service could be burdened by excessive or malformed traffic.

Affected Systems

All deployments that use PEVANS::Metrics::Any::Adapter::Statsd versions earlier than 0.04 are affected. Installations that embed this module in application servers, background workers, or monitoring agents that send metrics to a StatsD endpoint could be vulnerable unless the code path using the module is removed or replaced.

Risk and Exploitability

The CVSS score of 8.2 reflects high severity, while the EPSS score of less than 1 % indicates a very low likelihood of exploitation in the wild. The vulnerability can be exercised over the network by any entity able to write to the StatsD listener—typically UDP port 8125 or its TCP alternative—which suggests a remote attack vector. Although not yet listed in CISA’s KEV catalog, the potential to distort monitoring data or exhaust the StatsD service warrants proactive remediation.

Generated by OpenCVE AI on June 19, 2026 at 21:52 UTC.

Remediation

Vendor Solution

Upgrade to v0.04 or later.


OpenCVE Recommended Actions

  • Upgrade Metrics::Any::Adapter::Statsd to version 0.04 or later
  • Eliminate any older instances of the module from the production codebase
  • Restrict write access to the StatsD server so that only trusted application hosts can send metrics
  • Implement monitoring of incoming metric traffic for anomalies such as unexpected newline characters or control symbol usage

Generated by OpenCVE AI on June 19, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible. Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes. Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics, separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible. Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
Weaknesses CWE-150
References

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Pevans
Pevans metrics::any::adapter::statsd
Vendors & Products Pevans
Pevans metrics::any::adapter::statsd

Wed, 10 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible. Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
Title Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections
Weaknesses CWE-93
References

Subscriptions

Pevans Metrics::any::adapter::statsd
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-19T15:32:41.370Z

Reserved: 2026-06-05T12:07:20.886Z

Link: CVE-2026-50637

cve-icon Vulnrichment

Updated: 2026-06-11T19:10:13.260Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T19:16:37.263

Modified: 2026-06-11T20:16:25.187

Link: CVE-2026-50637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:00:07Z

Weaknesses
  • CWE-150

    Improper Neutralization of Escape, Meta, or Control Sequences

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')