Impact
Metrics::Any::Adapter::Statsd, a Perl module that forwards statistics to a StatsD server, lacks validation for metric names and values in its send routine. Input strings containing newlines, colons, or pipe characters are accepted unchanged, allowing an attacker to inject additional metrics or control commands into the StatsD payload. This injection flaw is classified as CWE‑93 (Improper Control of a Resource Through Input) and CWE‑150 (Data Transfer between Untrusted Domains). The consequence is that the integrity of monitoring data can be compromised, dashboards may display false information, alerts could be triggered inappropriately, and the StatsD service could be burdened by excessive or malformed traffic.
Affected Systems
All deployments that use PEVANS::Metrics::Any::Adapter::Statsd versions earlier than 0.04 are affected. Installations that embed this module in application servers, background workers, or monitoring agents that send metrics to a StatsD endpoint could be vulnerable unless the code path using the module is removed or replaced.
Risk and Exploitability
The CVSS score of 8.2 reflects high severity, while the EPSS score of less than 1 % indicates a very low likelihood of exploitation in the wild. The vulnerability can be exercised over the network by any entity able to write to the StatsD listener—typically UDP port 8125 or its TCP alternative—which suggests a remote attack vector. Although not yet listed in CISA’s KEV catalog, the potential to distort monitoring data or exhaust the StatsD service warrants proactive remediation.
OpenCVE Enrichment