Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network vector confirmed; no confidentiality impact since only metric data is forged, not read; integrity impact is low and availability is unaffected.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.
Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.
In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.
AnalysisAI
Metric injection via unsanitized newline characters affects Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl, allowing unauthenticated remote attackers to forge or corrupt statsd telemetry streams. The root cause is the _labels function's failure to strip or reject newlines and statsd control characters from tag label values before they are encoded into statsd UDP packets. Because statsd and dogstatsd protocols use newlines as metric delimiters, an attacker who can influence any label value flowing into the adapter can cause the server to parse additional attacker-controlled metrics. No public exploit has been identified at time of analysis, but SSVC rates the flaw as automatable with partial technical impact.
Technical ContextAI
The StatsD wire protocol - and its extensions such as DogStatsD and the SignalFx dialect - delimits multiple metrics within a single UDP packet using newline (\n) characters. Metrics::Any::Adapter::SignalFx (CPE: cpe:2.3:a:pevans:metrics::any::adapter::signalfx:*:*:*:*:*:*:*:*) is a Perl CPAN adapter that extends Metrics::Any::Adapter::Statsd and inherits a related injection weakness (see CVE-2026-50637 for the base Statsd adapter, also assigned to the same author PEVANS). The vulnerability is classified as CWE-93 (Improper Neutralization of CRLF Sequences), meaning the library does not sanitize CRLF or bare LF characters supplied by callers through metric label values before emitting them to the statsd socket. An application that feeds any externally influenced string - HTTP header values, user identifiers, request parameters - into metric tags is directly exploitable through this pathway.
RemediationAI
The vendor-released patch is version 0.04, available on CPAN. Administrators should upgrade using 'cpanm Metrics::Any::Adapter::SignalFx' or the equivalent cpan shell command to install version 0.04 or later, confirmed via the changelog at https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes and the OSS-Security advisory at https://seclists.org/oss-sec/2026/q2/880. If an immediate upgrade is not feasible, a compensating control is to sanitize all externally influenced strings before passing them as metric label values - specifically stripping or replacing \n, \r, and statsd delimiter characters (colon, pipe, at-sign) at the application layer before invoking any Metrics::Any label function. This workaround places the sanitization burden on consuming code and may be incomplete if multiple callsites are involved; upgrade remains the definitive fix. Also review Metrics::Any::Adapter::Statsd (CVE-2026-50637) and CVE-2026-9270 for related exposure in sibling adapters.
A vulnerability was found in KBase Metrics. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab
Metric injection in the Perl module Metrics::Any::Adapter::DogStatsd before 0.04 allows remote attackers to inject arbit
Metric injection in the Perl module Metrics::Any::Adapter::Statsd before version 0.04 allows remote attackers to inject
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36106
GHSA-xr5m-f4c4-pqjm