Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Primary rating from Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e) · only source for this CVE.
CVSS VectorVendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections.
The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
AnalysisAI
Metric injection in the Perl module Net::Statsd::Tiny before version 0.3.8 allows remote attackers to inject arbitrary statsd metrics by smuggling newline, colon, or pipe characters through untrusted metric names or set values. The CVSS 8.2 score reflects high integrity impact from forged telemetry, and while a vendor patch is available, no public exploit has been identified at time of analysis.
Technical ContextAI
Net::Statsd::Tiny is a lightweight Perl client for the statsd line-oriented UDP/TCP protocol, where each metric is encoded on its own newline-delimited line using ':' to separate the name from the value and '|' to separate the value from the type suffix. The root cause is CWE-93 (Improper Neutralization of CRLF Sequences / Injection): prior to 0.3.8 the client serialized caller-supplied strings directly into the wire protocol without validating that they were free of the protocol's structural delimiters. The patched commit (06f814f) adds a Carp::croak check rejecting metric names and values that match /[\N{U+00}-\N{U+1f}:|]/, blocking control characters below ASCII 32 (including LF/CR), colons, and pipes.
RemediationAI
Vendor-released patch: upgrade Net::Statsd::Tiny to version 0.3.8 or later from CPAN (see https://metacpan.org/release/RRWO/Net-Statsd-Tiny-v0.3.8/changes), which adds input validation rejecting ASCII control characters, ':' and '|' in metric names and values per commit 06f814f. If immediate upgrade is not feasible, the practical compensating control is to sanitize or reject any untrusted input before it reaches the increment/decrement/timing/set calls - specifically strip or refuse strings containing \x00-\x1F, ':' or '|' - which mirrors the upstream fix; the trade-off is that you must audit every call site, and any legitimate metric that contained these characters (rare but possible for set values derived from user IDs) will be blocked. Additional defense in depth: ensure the statsd backend is on a trusted network segment so injected lines from a compromised client at least cannot reach untrusted aggregators, and review monitoring dashboards for anomalous metric names. See also https://vuldb.com/vuln/364434 and https://nvd.nist.gov/vuln/detail/CVE-2026-46720.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30706
GHSA-vqfg-jwcg-58ww