Mojolicious::Plugin::Statsd CVE-2026-46740
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e) · only source for this CVE.
CVSS VectorVendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections.
The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Version 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720).
AnalysisAI
Metric injection in Mojolicious::Plugin::Statsd through version 0.04 for Perl allows remote unauthenticated attackers to inject arbitrary statsd metrics by supplying crafted values containing newlines, colons, or pipe characters - the delimiters of the statsd wire protocol. Applications that pass untrusted input directly into metric names or set values are affected. No public exploit exists and EPSS is 0.01% (1st percentile), placing this firmly in the low-priority tier despite network accessibility; exploitation requires attacker-controlled data to flow into metric collection paths.
Technical ContextAI
The statsd protocol encodes metrics as colon-delimited key:value pairs separated by pipes for type and sample rate, with newlines separating multiple metrics in a single UDP packet (e.g., 'page.load:120|ms'). CWE-93 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) describes exactly this class of injection: user-controlled strings are embedded into a structured protocol output without sanitizing the protocol's own delimiter characters. The original Mojolicious::Plugin::Statsd adapter constructed statsd payloads directly via sprintf in Perl (e.g., sprintf '%s:%d|ms', $name, $time), without stripping or rejecting newlines ('\n'), colons (':'), or pipes ('|') from the $name or value inputs. A related vulnerability, CVE-2026-46720, affected the Net::Statsd::Tiny dependency at a similar layer. The fix in version 0.06 removes the plugin's own protocol-construction logic entirely, delegating to Net::Statsd::Tiny v0.4.0+, which addresses the sanitization at the client library level.
Affected ProductsAI
Mojolicious::Plugin::Statsd versions through 0.04 for Perl are affected. Version 0.05 is not mentioned in available data and should be treated as potentially affected. The fixed release is version 0.06, confirmed by the MetaCPAN changelog at https://metacpan.org/release/RRWO/Mojolicious-Plugin-Statsd-0.06/changes and the upstream patch commit f049156982a2c0b8050f173e24a04a29ddd64853 at GitHub. No CPE string was provided in the source data; the module is distributed via CPAN under the RRWO author namespace.
RemediationAI
Upgrade Mojolicious::Plugin::Statsd to version 0.06 or later via CPAN (cpanm Mojolicious::Plugin::Statsd or cpan Mojolicious::Plugin::Statsd). Version 0.06 replaces the plugin's own statsd protocol construction with Net::Statsd::Tiny v0.4.0+, which sanitizes metric names and values against delimiter injection. The fix is confirmed in the MetaCPAN changelog (https://metacpan.org/release/RRWO/Mojolicious-Plugin-Statsd-0.06/changes) and the GitHub commit patch (https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd/commit/f049156982a2c0b8050f173e24a04a29ddd64853.patch). If an immediate upgrade is not possible, the compensating control is to sanitize all metric names and values in application code before passing them to the plugin - specifically, strip or reject strings containing newline characters ('\n', '\r'), colons (':'), and pipe characters ('|'). This workaround adds validation overhead and must be applied at every call site, making it error-prone; the upgrade is strongly preferred.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today