Skip to main content

Plack::Middleware::Statsd EUVDEUVD-2026-28995

| CVE-2026-45179 MEDIUM
Cleartext Transmission of Sensitive Information (CWE-319)
2026-05-10 CPANSec
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 16:30 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
5.3 (MEDIUM)
Patch available
May 10, 2026 - 21:01 EUVD
CVE Published
May 10, 2026 - 19:10 nvd
UNKNOWN (no severity yet)
CVE Published
May 10, 2026 - 19:10 nvd
MEDIUM 5.3

DescriptionCVE.org

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses.

If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked.

Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.

AnalysisAI

Plack::Middleware::Statsd versions before 0.9.0 leak user IP addresses to unsecured statsd daemons via unencrypted UDP communication. Remote unauthenticated attackers on the same network as the statsd daemon can intercept plaintext IP addresses transmitted by the middleware. Version 0.9.0 and later disable IP logging by default and use HMAC signatures when logging is enabled, eliminating the exposure.

Technical ContextAI

Plack::Middleware::Statsd is a Perl middleware component that integrates Plack web applications with statsd, a lightweight network daemon for aggregating and publishing application metrics. The vulnerability stems from CWE-319 (Cleartext Transmission of Sensitive Information) - the middleware transmits user IP addresses to the statsd daemon without encryption, typically via UDP to a remote or untrusted network. When the statsd communication channel is not secured (UDP to an external host, no TLS/DTLS), any passive network observer can capture and log client IP addresses. The fix in version 0.9.0 changes the default behavior to not log IP addresses at all, and when IP logging is explicitly enabled via configuration, the IP is hashed using HMAC rather than transmitted in plaintext.

RemediationAI

The primary remediation is to upgrade Plack::Middleware::Statsd to version 0.9.0 or later. Users on Perl/CPAN can update via cpan or cpanm: cpan -u Plack::Middleware::Statsd or cpanm Plack::Middleware::Statsd@0.9.0. For organizations unable to upgrade immediately, implement network-level controls: restrict statsd daemon access to trusted internal subnets only (firewall rules blocking UDP port 8125 from untrusted sources), deploy the statsd daemon on the same host as the application (localhost only binding), or route statsd communication through an encrypted tunnel (VPN/stunnel wrapper around UDP). If IP logging is required, confirm that version 0.9.0+ is in use with IP logging explicitly enabled, which will use HMAC signatures instead of plaintext transmission. Verify the fix by reviewing application logs and statsd metric names to confirm IP addresses no longer appear in plaintext.

Share

EUVD-2026-28995 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy