Skip to main content

SignalFx Metrics Adapter CVE-2026-50639

| EUVDEUVD-2026-36106 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-10 CPANSec GHSA-xr5m-f4c4-pqjm
6.5
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network vector confirmed; no confidentiality impact since only metric data is forged, not read; integrity impact is low and availability is unaffected.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 10, 2026 - 21:45 vuln.today
Patch available
Jun 10, 2026 - 21:16 EUVD
CVSS changed
Jun 10, 2026 - 20:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 10, 2026 - 18:32 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections.

The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.

Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.

In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.

AnalysisAI

Metric injection via unsanitized newline characters affects Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl, allowing unauthenticated remote attackers to forge or corrupt statsd telemetry streams. The root cause is the _labels function's failure to strip or reject newlines and statsd control characters from tag label values before they are encoded into statsd UDP packets. Because statsd and dogstatsd protocols use newlines as metric delimiters, an attacker who can influence any label value flowing into the adapter can cause the server to parse additional attacker-controlled metrics. No public exploit has been identified at time of analysis, but SSVC rates the flaw as automatable with partial technical impact.

Technical ContextAI

The StatsD wire protocol - and its extensions such as DogStatsD and the SignalFx dialect - delimits multiple metrics within a single UDP packet using newline (\n) characters. Metrics::Any::Adapter::SignalFx (CPE: cpe:2.3:a:pevans:metrics::any::adapter::signalfx:*:*:*:*:*:*:*:*) is a Perl CPAN adapter that extends Metrics::Any::Adapter::Statsd and inherits a related injection weakness (see CVE-2026-50637 for the base Statsd adapter, also assigned to the same author PEVANS). The vulnerability is classified as CWE-93 (Improper Neutralization of CRLF Sequences), meaning the library does not sanitize CRLF or bare LF characters supplied by callers through metric label values before emitting them to the statsd socket. An application that feeds any externally influenced string - HTTP header values, user identifiers, request parameters - into metric tags is directly exploitable through this pathway.

RemediationAI

The vendor-released patch is version 0.04, available on CPAN. Administrators should upgrade using 'cpanm Metrics::Any::Adapter::SignalFx' or the equivalent cpan shell command to install version 0.04 or later, confirmed via the changelog at https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes and the OSS-Security advisory at https://seclists.org/oss-sec/2026/q2/880. If an immediate upgrade is not feasible, a compensating control is to sanitize all externally influenced strings before passing them as metric label values - specifically stripping or replacing \n, \r, and statsd delimiter characters (colon, pipe, at-sign) at the application layer before invoking any Metrics::Any label function. This workaround places the sanitization burden on consuming code and may be incomplete if multiple callsites are involved; upgrade remains the definitive fix. Also review Metrics::Any::Adapter::Statsd (CVE-2026-50637) and CVE-2026-9270 for related exposure in sibling adapters.

Share

CVE-2026-50639 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy