Description
Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections.

The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet.

Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.

In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.
Published: 2026-06-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Metrics::Any::Adapter::SignalFx for Perl, before version 0.04, fails to sanitize metric labels, enabling attackers to inject arbitrary metrics via the Statsd protocol when sending packets that contain newlines or control characters. This flaw, related to CWE-93 and CWE-150, permits malicious manipulation of monitoring data, potentially leading to data corruption or false alarms.

Affected Systems

The issue affects installations of PEVANS Metrics::Any::Adapter::SignalFx that are earlier than version 0.04. All earlier releases lack the protection against metric injection and should be considered vulnerable.

Risk and Exploitability

The CVSS score of 6.5, along with an EPSS score of < 1%, indicates a very low but nonzero probability of exploitation. The vulnerability is exploitable over the network by sending specially crafted Statsd packets to the SignalFx endpoint, so the attack vector is remote. Since the weakness is a failure to validate input, an adversary controlling the metric stream can achieve malicious metric injection without needing elevated privileges. Although not identified in CISA’s KEV list, the low EPSS score suggests a moderate risk that warrants prompt remediation.

Generated by OpenCVE AI on June 19, 2026 at 21:33 UTC.

Remediation

Vendor Solution

Upgrade to v0.04 or later.


OpenCVE Recommended Actions

  • Upgrade Metrics::Any::Adapter::SignalFx to version 0.04 or later
  • Restrict Statsd traffic to SignalFx endpoint using firewall rules to allow only trusted source IPs
  • Add a pre-send sanitization step that removes newline and control characters from metric labels before transmission

Generated by OpenCVE AI on June 19, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections. Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.
Weaknesses CWE-150
References

Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Pevans
Pevans metrics::any::adapter::signalfx
Vendors & Products Pevans
Pevans metrics::any::adapter::signalfx

Wed, 10 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.
Title Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections
Weaknesses CWE-93
References

Subscriptions

Pevans Metrics::any::adapter::signalfx
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-19T15:33:21.954Z

Reserved: 2026-06-05T12:07:20.886Z

Link: CVE-2026-50639

cve-icon Vulnrichment

Updated: 2026-06-10T19:38:05.649Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T19:16:37.483

Modified: 2026-06-10T20:19:35.917

Link: CVE-2026-50639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:45:04Z

Weaknesses
  • CWE-150

    Improper Neutralization of Escape, Meta, or Control Sequences

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')