Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses.
If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked.
Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.
AnalysisAI
Plack::Middleware::Statsd versions before 0.9.0 leak user IP addresses to unsecured statsd daemons via unencrypted UDP communication. Remote unauthenticated attackers on the same network as the statsd daemon can intercept plaintext IP addresses transmitted by the middleware. Version 0.9.0 and later disable IP logging by default and use HMAC signatures when logging is enabled, eliminating the exposure.
Technical ContextAI
Plack::Middleware::Statsd is a Perl middleware component that integrates Plack web applications with statsd, a lightweight network daemon for aggregating and publishing application metrics. The vulnerability stems from CWE-319 (Cleartext Transmission of Sensitive Information) - the middleware transmits user IP addresses to the statsd daemon without encryption, typically via UDP to a remote or untrusted network. When the statsd communication channel is not secured (UDP to an external host, no TLS/DTLS), any passive network observer can capture and log client IP addresses. The fix in version 0.9.0 changes the default behavior to not log IP addresses at all, and when IP logging is explicitly enabled via configuration, the IP is hashed using HMAC rather than transmitted in plaintext.
RemediationAI
The primary remediation is to upgrade Plack::Middleware::Statsd to version 0.9.0 or later. Users on Perl/CPAN can update via cpan or cpanm: cpan -u Plack::Middleware::Statsd or cpanm Plack::Middleware::Statsd@0.9.0. For organizations unable to upgrade immediately, implement network-level controls: restrict statsd daemon access to trusted internal subnets only (firewall rules blocking UDP port 8125 from untrusted sources), deploy the statsd daemon on the same host as the application (localhost only binding), or route statsd communication through an encrypted tunnel (VPN/stunnel wrapper around UDP). If IP logging is required, confirm that version 0.9.0+ is in use with IP logging explicitly enabled, which will use HMAC signatures instead of plaintext transmission. Verify the fix by reviewing application logs and statsd metric names to confirm IP addresses no longer appear in plaintext.
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Rated critical severity
Header injection filtering bypass in Plack::Middleware::Security::Common (Perl) versions prior to 0.13.1 allows remote a
Plack::App::File in Plack before 1.0031 removes trailing slash characters from paths, which allows remote attackers to b
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28995