Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from Vendor (CPANSec) · only source for this CVE.
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
Net::Statsd versions before 0.13 for Perl allow metric injections.
The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection).
AnalysisAI
Metric injection in Net::Statsd for Perl (all versions before 0.13) allows network-reachable, unauthenticated attackers to forge additional StatsD metric lines by embedding newlines, colons, or pipes in metric names or values passed through the library. Any application that feeds untrusted external input into Net::Statsd method calls without prior sanitization is directly exposed, because the wire format uses those characters as delimiters between metrics in a single UDP datagram. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the CVSS AV:N/AC:L/PR:N/UI:N surface warrants prompt patching wherever user-controlled strings reach metric instrumentation calls.
Technical ContextAI
Net::Statsd (CPE: cpe:2.3:a:cosimo:net::statsd:*:*:*:*:*:*:*:*) is a Perl CPAN module for shipping application telemetry to a StatsD daemon over UDP. The StatsD wire format encodes each metric as 'name:value|type', and multiple metrics are packed into a single UDP datagram separated by newline characters. The root cause is CWE-93 (Improper Neutralization of CRLF Sequences): prior to version 0.13, the timing, update_stats, gauge, increment, decrement, and direct send methods accepted metric names and values without checking for newlines (or any control character below ASCII 32), colons, or pipes. The update_stats and gauge methods additionally did not enforce numeric-only values, allowing string payloads containing the delimiter characters. Version 0.13 introduces internal _validate_metric_name and _validate_metric_value functions that call Carp::croak on forbidden characters; name validation is centralized in send() to catch all call paths, while value validation is applied at each individual entry-point method before the |type suffix is appended.
RemediationAI
Upgrade Net::Statsd to version 0.13 or later using 'cpanm Net::Statsd' or 'cpan Net::Statsd'; version 0.13 is confirmed as the fix release in the upstream Changes file and PR at https://github.com/cosimo/perl5-net-statsd/pull/10. If an immediate upgrade cannot be performed, apply compensating controls at the application layer: explicitly validate or reject any metric name string containing newlines, colons, or pipe characters before passing it to any Net::Statsd method, and ensure values passed to update_stats and gauge are verified numeric (e.g., via Scalar::Util::looks_like_number). Note that application-layer sanitization introduces maintenance risk - it must cover every call site - and the definitive fix is upgrading to 0.13 where validation is enforced centrally within the library. Refer to https://seclists.org/oss-sec/2026/q2/811 for the full disclosure context.
Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "pani
The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic:
Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe
.NET and Visual Studio Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is re
.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this v
Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.
Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name
Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34295
GHSA-wjp4-mf92-6wh6