Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (CPANSec) · only source for this CVE.
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Etsy::StatsD versions through 1.002002 for Perl allow metric injections.
The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections.
AnalysisAI
Metric injection in the Etsy::StatsD Perl module (versions through 1.002002) allows remote attackers to inject arbitrary statsd metrics by supplying input containing unescaped newlines, colons, or pipe characters to metric names or values. Applications that build metrics from untrusted sources (HTTP parameters, user identifiers, log fields) can be coerced into emitting forged measurements, corrupting downstream monitoring, dashboards, and alerting. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Technical ContextAI
Etsy::StatsD is a Perl client library that formats and transmits metrics to a statsd daemon using the plain-text line protocol, where each metric is encoded as 'name:value|type' delimited by newlines. CWE-93 (Improper Neutralization of CRLF Sequences) is the root cause: the library passes caller-supplied strings into the wire format without filtering the protocol's structural delimiters (newline, colon, pipe), so a single logical call can produce multiple statsd lines. The affected CPE is cpe:2.3:a:sanbeg:etsy::statsd, the CPAN distribution maintained by Steve Sanbeg, and the advisory additionally notes that unreleased gauge and set methods in the git repository share the same defect.
RemediationAI
No vendor-released patch identified at time of analysis - the advisory at https://seclists.org/oss-sec/2026/q2/812 does not cite a fixed CPAN version, so operators should monitor the sanbeg/Etsy-StatsD distribution for a release above 1.002002 and upgrade once published. As compensating controls, sanitize any untrusted input before passing it to Etsy::StatsD by stripping or rejecting newline (\n, \r), colon (:) and pipe (|) characters, or wrap the client in a thin local adapter that performs this validation centrally; the trade-off is that aggressive stripping may mangle legitimate identifiers that legitimately contain colons. Alternatively, restrict which application code paths can construct metric names from request data and prefer fixed-allowlist metric names with user data only in tag values processed by a tag-aware backend, accepting that this requires refactoring existing instrumentation.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34296
GHSA-mcvm-9xxc-24jx