Skip to main content

Net::Statsd CVE-2026-46739

| EUVDEUVD-2026-34295 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-04 CPANSec GHSA-wjp4-mf92-6wh6
5.3
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from Vendor (CPANSec) · only source for this CVE.

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 04, 2026 - 19:27 vuln.today
Analysis Generated
Jun 04, 2026 - 19:27 vuln.today
CVSS changed
Jun 04, 2026 - 19:22 NVD
5.3 (MEDIUM)
Patch available
Jun 04, 2026 - 18:01 EUVD
CVE Published
Jun 04, 2026 - 15:45 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Net::Statsd versions before 0.13 for Perl allow metric injections.

The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection).

AnalysisAI

Metric injection in Net::Statsd for Perl (all versions before 0.13) allows network-reachable, unauthenticated attackers to forge additional StatsD metric lines by embedding newlines, colons, or pipes in metric names or values passed through the library. Any application that feeds untrusted external input into Net::Statsd method calls without prior sanitization is directly exposed, because the wire format uses those characters as delimiters between metrics in a single UDP datagram. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the CVSS AV:N/AC:L/PR:N/UI:N surface warrants prompt patching wherever user-controlled strings reach metric instrumentation calls.

Technical ContextAI

Net::Statsd (CPE: cpe:2.3:a:cosimo:net::statsd:*:*:*:*:*:*:*:*) is a Perl CPAN module for shipping application telemetry to a StatsD daemon over UDP. The StatsD wire format encodes each metric as 'name:value|type', and multiple metrics are packed into a single UDP datagram separated by newline characters. The root cause is CWE-93 (Improper Neutralization of CRLF Sequences): prior to version 0.13, the timing, update_stats, gauge, increment, decrement, and direct send methods accepted metric names and values without checking for newlines (or any control character below ASCII 32), colons, or pipes. The update_stats and gauge methods additionally did not enforce numeric-only values, allowing string payloads containing the delimiter characters. Version 0.13 introduces internal _validate_metric_name and _validate_metric_value functions that call Carp::croak on forbidden characters; name validation is centralized in send() to catch all call paths, while value validation is applied at each individual entry-point method before the |type suffix is appended.

RemediationAI

Upgrade Net::Statsd to version 0.13 or later using 'cpanm Net::Statsd' or 'cpan Net::Statsd'; version 0.13 is confirmed as the fix release in the upstream Changes file and PR at https://github.com/cosimo/perl5-net-statsd/pull/10. If an immediate upgrade cannot be performed, apply compensating controls at the application layer: explicitly validate or reject any metric name string containing newlines, colons, or pipe characters before passing it to any Net::Statsd method, and ensure values passed to update_stats and gauge are verified numeric (e.g., via Scalar::Util::looks_like_number). Note that application-layer sanitization introduces maintenance risk - it must cover every call site - and the definitive fix is upgrading to 0.13 where validation is enforced centrally within the library. Refer to https://seclists.org/oss-sec/2026/q2/811 for the full disclosure context.

More in Net

View all
CVE-2026-33811 HIGH POC
7.5 May 07

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali

CVE-2018-17848 HIGH POC
7.5 Oct 01

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "

CVE-2018-17847 HIGH POC
7.5 Oct 01

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading

CVE-2018-17143 HIGH POC
7.5 Sep 17

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a

CVE-2018-17142 HIGH POC
7.5 Sep 17

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "pani

CVE-2018-17075 HIGH POC
7.5 Sep 16

The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic:

CVE-2026-45491 MEDIUM POC
5.5 Jun 09

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe

CVE-2024-43498 CRITICAL
9.8 Nov 12

.NET and Visual Studio Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-36049 CRITICAL
9.8 Nov 14

.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this v

CVE-2024-57854 CRITICAL
9.1 Mar 05

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

CVE-2026-11373 CRITICAL
9.1 Jun 22

Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name

CVE-2026-45591 HIGH
7.5 Jun 09

Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru

Share

CVE-2026-46739 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy