Skip to main content

Etsy::StatsD CVE-2026-46741

| EUVDEUVD-2026-34296 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-04 CPANSec GHSA-mcvm-9xxc-24jx
7.5
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from Vendor (CPANSec) · only source for this CVE.

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 19:23 vuln.today
CVSS changed
Jun 04, 2026 - 19:22 NVD
7.5 (HIGH)
CVE Published
Jun 04, 2026 - 15:54 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Etsy::StatsD versions through 1.002002 for Perl allow metric injections.

The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections.

AnalysisAI

Metric injection in the Etsy::StatsD Perl module (versions through 1.002002) allows remote attackers to inject arbitrary statsd metrics by supplying input containing unescaped newlines, colons, or pipe characters to metric names or values. Applications that build metrics from untrusted sources (HTTP parameters, user identifiers, log fields) can be coerced into emitting forged measurements, corrupting downstream monitoring, dashboards, and alerting. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Technical ContextAI

Etsy::StatsD is a Perl client library that formats and transmits metrics to a statsd daemon using the plain-text line protocol, where each metric is encoded as 'name:value|type' delimited by newlines. CWE-93 (Improper Neutralization of CRLF Sequences) is the root cause: the library passes caller-supplied strings into the wire format without filtering the protocol's structural delimiters (newline, colon, pipe), so a single logical call can produce multiple statsd lines. The affected CPE is cpe:2.3:a:sanbeg:etsy::statsd, the CPAN distribution maintained by Steve Sanbeg, and the advisory additionally notes that unreleased gauge and set methods in the git repository share the same defect.

RemediationAI

No vendor-released patch identified at time of analysis - the advisory at https://seclists.org/oss-sec/2026/q2/812 does not cite a fixed CPAN version, so operators should monitor the sanbeg/Etsy-StatsD distribution for a release above 1.002002 and upgrade once published. As compensating controls, sanitize any untrusted input before passing it to Etsy::StatsD by stripping or rejecting newline (\n, \r), colon (:) and pipe (|) characters, or wrap the client in a thin local adapter that performs this validation centrally; the trade-off is that aggressive stripping may mangle legitimate identifiers that legitimately contain colons. Alternatively, restrict which application code paths can construct metric names from request data and prefer fixed-allowlist metric names with user data only in tag values processed by a tag-aware backend, accepting that this requires refactoring existing instrumentation.

Share

CVE-2026-46741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy