Description
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.

DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.

The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix.

The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram.

The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections.

Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.
Published: 2026-06-05
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DataDog::DogStatsd for Perl libraries up to and including version 0.07 do not properly sanitize input used in the send_stats method. The library fails to strip newlines from metric names, fails to validate the content of the metric value, and fails to prevent the inclusion of newlines, pipes, and colons in tags. These deficiencies allow an attacker to craft arbitrary metric names, inject unintended metrics, and manipulate tag values, enabling the client to corrupt monitoring data and potentially mislead dashboards and alerts.

Affected Systems

All installations of the DataDog::DogStatsd Perl library with versions through 0.07 are affected. This includes any application employing the library without additional sanitisation, regardless of the environment in which it runs.

Risk and Exploitability

The vulnerability can be exploited whenever untrusted data is supplied to the vulnerable methods – for example, from web form inputs or other user‑controlled sources. Because the flaw only corrupts metric data and does not provide code execution, the risk mainly concerns integrity of monitoring data and the accuracy of alert conditions. The CVSS score of 9.1 indicates a critical severity, while the EPSS score of <1% points to a low probability of exploitation. There is no publicly available exploit or listing in the CISA KEV catalog. The most likely attack vector is through application components that accept external input and forward it to the DogStatsd send_stats routine without validation. Administrators should treat the situation as a significant integrity risk, especially in environments where accurate metrics drive operational or security decisions.

Generated by OpenCVE AI on June 8, 2026 at 20:38 UTC.

Remediation

Vendor Workaround

Ensure that metric names, values and tags come from trusted sources or are properly sanitised.

OpenCVE Recommended Actions

  • Upgrade DataDog::DogStatsd to a release newer than version 0.07 (e.g., 0.08 or later) which includes proper sanitisation of metric names, values, and tags.
  • Before passing any metric name, value, or tag to send_stats, strip or reject newlines and ensure the strings contain only alphanumeric characters and the allowed delimiter characters; enforce a strict whitelist of permissible characters.
  • Validate that numeric parameters such as the delta value in set, gauge, count, and histogram calls are truly numeric, rejecting or coercing any non‑numeric input before the call is made.

Generated by OpenCVE AI on June 8, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Binary datadog\
CPEs cpe:2.3:a:binary:datadog\:\:dogstatsd:*:*:*:*:*:perl:*:*
Vendors & Products Binary datadog\

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Binary
Binary datadog::dogstatsd
Vendors & Products Binary
Binary datadog::dogstatsd

Fri, 05 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.
Title DataDog::DogStatsd versions through 0.07 for Perl allow metric injections
Weaknesses CWE-150
CWE-93
References

Subscriptions

Binary Datadog::dogstatsd Datadog\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-08T18:17:12.608Z

Reserved: 2026-05-22T10:23:06.050Z

Link: CVE-2026-9270

cve-icon Vulnrichment

Updated: 2026-06-08T18:16:55.711Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T16:16:41.780

Modified: 2026-06-10T15:01:31.007

Link: CVE-2026-9270

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T20:45:32Z

Weaknesses
  • CWE-150

    Improper Neutralization of Escape, Meta, or Control Sequences

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')