Skip to main content

Net::Statsd::Tiny CVE-2026-46720

| EUVDEUVD-2026-30706 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-05-17 9b29abf9-4ab0-4765-b253-1875cd9b441e GHSA-vqfg-jwcg-58ww
8.2
CVSS 3.1 · Vendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Share

Severity by source

Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Primary rating from Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e) · only source for this CVE.

CVSS VectorVendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
May 18, 2026 - 13:22 vuln.today
Analysis Generated
May 18, 2026 - 13:22 vuln.today
CVSS changed
May 18, 2026 - 13:22 NVD
8.2 (HIGH)
Patch available
May 17, 2026 - 19:01 EUVD
CVE Published
May 17, 2026 - 18:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections.

The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

AnalysisAI

Metric injection in the Perl module Net::Statsd::Tiny before version 0.3.8 allows remote attackers to inject arbitrary statsd metrics by smuggling newline, colon, or pipe characters through untrusted metric names or set values. The CVSS 8.2 score reflects high integrity impact from forged telemetry, and while a vendor patch is available, no public exploit has been identified at time of analysis.

Technical ContextAI

Net::Statsd::Tiny is a lightweight Perl client for the statsd line-oriented UDP/TCP protocol, where each metric is encoded on its own newline-delimited line using ':' to separate the name from the value and '|' to separate the value from the type suffix. The root cause is CWE-93 (Improper Neutralization of CRLF Sequences / Injection): prior to 0.3.8 the client serialized caller-supplied strings directly into the wire protocol without validating that they were free of the protocol's structural delimiters. The patched commit (06f814f) adds a Carp::croak check rejecting metric names and values that match /[\N{U+00}-\N{U+1f}:|]/, blocking control characters below ASCII 32 (including LF/CR), colons, and pipes.

RemediationAI

Vendor-released patch: upgrade Net::Statsd::Tiny to version 0.3.8 or later from CPAN (see https://metacpan.org/release/RRWO/Net-Statsd-Tiny-v0.3.8/changes), which adds input validation rejecting ASCII control characters, ':' and '|' in metric names and values per commit 06f814f. If immediate upgrade is not feasible, the practical compensating control is to sanitize or reject any untrusted input before it reaches the increment/decrement/timing/set calls - specifically strip or refuse strings containing \x00-\x1F, ':' or '|' - which mirrors the upstream fix; the trade-off is that you must audit every call site, and any legitimate metric that contained these characters (rare but possible for set values derived from user IDs) will be blocked. Additional defense in depth: ensure the statsd backend is on a trusted network segment so injected lines from a compromised client at least cannot reach untrusted aggregators, and review monitoring dashboards for anomalous metric names. See also https://vuldb.com/vuln/364434 and https://nvd.nist.gov/vuln/detail/CVE-2026-46720.

Share

CVE-2026-46720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy