GHSA-57h4-p8xg-x38x
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from Vendor (CNA) · only source for this CVE.
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Description PRE-NVD
AnalysisAI
Metric injection in the Perl module Net::Statsd::Lite through version 0.10.0 allows remote attackers to inject arbitrary StatsD metrics by smuggling control characters (CRLF) into metric names or values that the library forwards without sanitization. The flaw was disclosed on the oss-security mailing list on 2026-05-18 by maintainer Robert Rothenberg, and no public exploit identified at time of analysis; EPSS is very low (0.03%, 8th percentile), reflecting limited mass-exploitation interest in a niche telemetry library.
Technical ContextAI
Net::Statsd::Lite is a lightweight Perl client used by applications to emit StatsD-format metrics (counters, gauges, timers) over UDP/TCP to a StatsD aggregator such as Graphite, Datadog Agent, or Telegraf. The root cause class is CWE-93 (Improper Neutralization of CRLF Sequences), commonly known as CRLF/argument injection: because StatsD packets are newline-delimited line-oriented text, any unescaped newline or pipe character in a user-supplied metric name, tag, or value lets an attacker terminate the current line and append entirely new metric records. The library prior to 0.10.1 forwarded caller-supplied strings into the wire protocol without stripping or rejecting these delimiters.
RemediationAI
Upgrade Net::Statsd::Lite to the upstream fix available (release v0.10.1) by installing the new distribution from CPAN (e.g., cpanm Net::Statsd::Lite@0.10.1) as documented in the v0.10.1 changes file on MetaCPAN. If upgrade is not immediately possible, the most effective compensating control is to sanitize at the application boundary - strip or reject the bytes \r, \n, and the StatsD delimiter | from any caller-supplied metric name, tag, or value before invoking the module (trade-off: requires code change in every call site and silently drops legitimate characters that happen to collide). Additionally, restrict UDP/TCP egress so the StatsD client can only reach the intended aggregator and ensure the aggregator and any downstream alerting do not treat injected metrics as authoritative; the trade-off is operational noise if metric names suddenly change shape after sanitization.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30739