Metrics::Any::Adapter::Statsd, a Perl module for transmitting statistics to a StatsD server, contains an input validation flaw that allows metric injection. The library's send method accepts raw metric strings without sanitizing names or values. Attackers can craft names containing newlines and StatsD control characters such as colons or pipes, causing the StatsD server to interpret injected data as separate metrics or commands. This flaw is CWE‑93. The impact is compromised data integrity and potential denial of service, as injected metrics can skew dashboards, trigger alarms, or exhaust server resources.

Perl modules built on PEVANS::Metrics::Any::Adapter::Statsd prior to version 0.04 are affected. The vulnerability is fixed in release 0.04 and later, which blocks metric names containing control characters and characters below ASCII 32. Any environment that uses the older module for logging statistics to StatsD servers—such as application servers or monitoring agents—must assess if it includes a vulnerable version.

The CVSS score is not provided, and the EPSS score is unavailable, so the theoretical likelihood of exploitation cannot be quantified from the CVE data. The flaw can be exercised remotely by any actor able to send data to the StatsD endpoint, typically over UDP or TCP, making the attack vector likely network‑based. The absence of a listing in CISA’s KEV catalog indicates no known production exploitation as of this record, but the severity of potential data integrity damage warrants proactive remediation.