Description
Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections.

The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.

Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.

In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.
Published: 2026-06-10
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Metrics::Any::Adapter::SignalFx, an extension of Metrics::Any::Adapter::Statsd, fails to sanitize labels for metric names, allowing attackers to inject metric data via the Statsd protocol. The vulnerability, classified as CWE-93, permits the inclusion of newline and control characters in metric labels, which can be used to inject arbitrary metrics or corrupt existing metrics. This leads to data integrity issues in monitoring systems, potentially masking true system behavior or triggering false alarms.

Affected Systems

The issue affects installations of PEVANS Metrics::Any::Adapter::SignalFx that are earlier than version 0.04. All earlier releases lack the protection against metric injection and should be considered vulnerable.

Risk and Exploitability

The CVSS score of 6.5, and no EPSS data is available, indicating that the exploitation probability is currently unknown. The vulnerability is exploitable over the network by sending specially crafted Statsd packets to the SignalFx endpoint, so the attack vector is remote. Since the weakness is a failure to validate input, an adversary controlling the metric stream can achieve malicious metric injection without needing elevated privileges. Although not identified in CISA’s KEV list, the lack of exploitation data suggests a moderate risk that warrants prompt remediation.

Generated by OpenCVE AI on June 10, 2026 at 21:22 UTC.

Remediation

Vendor Solution

Upgrade to v0.04 or later.

OpenCVE Recommended Actions

  • Upgrade Metrics::Any::Adapter::SignalFx to version 0.04 or later
  • Restrict Statsd traffic to SignalFx endpoint using firewall rules to allow only trusted source IPs
  • Add a pre-send sanitization step that removes newline and control characters from metric labels before transmission

Generated by OpenCVE AI on June 10, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.
Title Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections
Weaknesses CWE-93
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-10T19:38:13.983Z

Reserved: 2026-06-05T12:07:20.886Z

Link: CVE-2026-50639

cve-icon Vulnrichment

Updated: 2026-06-10T19:38:05.649Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T19:16:37.483

Modified: 2026-06-10T20:19:35.917

Link: CVE-2026-50639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T21:30:36Z

Weaknesses