Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from Vendor (CPANSec) · only source for this CVE.
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.
The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
AnalysisAI
Metric injection in Net::Statsd::Lite (Perl) affects all releases before v0.9.0, allowing unauthenticated remote attackers to inject arbitrary statsd metrics by embedding newline, colon, or pipe characters into metric names derived from untrusted input. Because the statsd wire protocol uses these characters as record separators and field delimiters, an unsanitized metric name can smuggle additional forged metrics into the UDP stream transmitted to a statsd daemon, corrupting monitoring and telemetry data. No public exploit code exists at time of analysis and the EPSS score of 0.01% (1st percentile) indicates negligible observed exploitation activity; however, the patch diff makes exploitation trivially constructible by any attacker who can influence metric name values in a vulnerable application.
Technical ContextAI
Net::Statsd::Lite is a lightweight Perl CPAN module (author: RRWO; CPE: cpe:2.3:a:rrwo:net::statsd::lite:*:*:*:*:*:*:*:*) that sends metrics to a statsd daemon over UDP. The statsd wire protocol encodes metrics in the format <name>:<value>|<type>, with newlines used to separate multiple metric records in a single datagram. Because colons and pipes delimit fields within a record, and newlines delimit records themselves, injecting any of these characters into a metric name allows the construction of fully-formed additional metric records. CWE-93 (Improper Neutralization of CRLF Sequences / CRLF Injection) precisely characterizes the root cause: the library accepted user-controlled metric name strings without rejecting or stripping protocol-significant characters. The v0.9.0 fix, visible in the public commit diff, adds two croak guards in lib/Net/Statsd/Lite.pm: one rejecting metric names matching /[\n:|]/ and one rejecting suffixes matching /[\n]/, refusing malformed input at the library boundary rather than silently passing it through.
RemediationAI
Upgrade Net::Statsd::Lite to version 0.9.0 or later - this is the vendor-released patch confirmed by both the CPAN changelog (https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes) and the public commit (https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch). Install via cpanm Net::Statsd::Lite or your organization's preferred CPAN mirror. If an immediate upgrade is blocked (e.g., by frozen dependency trees), a compensating control is to sanitize or reject any user-controlled string at the application layer before passing it as a metric name - specifically, strip or refuse strings matching /[\n:|]/. This workaround must be applied consistently at every call site that feeds external data into Net::Statsd::Lite, introducing maintenance complexity; upgrading to v0.9.0 is the definitive and recommended resolution with no known functional regressions.
Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "pani
The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic:
Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe
.NET and Visual Studio Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is re
.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this v
Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.
Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name
Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30672
GHSA-2x39-j499-jv87