Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids.
If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens.
AnalysisAI
Session ID disclosure in Catalyst::Plugin::Statsd for Perl (versions ≤0.10.0) occurs when the StatsD communication channel lacks encryption, leaking authentication tokens over unsecured UDP to remote StatsD daemons. CVSS 7.5 (High) reflects network-accessible confidentiality impact, but EPSS score of 0.03% (9th percentile) and SSVC assessment (no observed exploitation, partial technical impact) indicate limited real-world exploitation activity. Vendor advisory from GitHub Security (GHSA-gjvr-hq83-fc38) confirms the issue with related advisories for similar Plack-Middleware-Statsd vulnerability (CVE-2026-45179).
Technical ContextAI
Catalyst::Plugin::Statsd is a Perl plugin integrating StatsD metrics collection into Catalyst web applications. The vulnerability stems from CWE-319 (Cleartext Transmission of Sensitive Information): session identifiers are transmitted unencrypted to StatsD daemons via UDP packets. When StatsD daemons reside on external networks rather than localhost, session IDs traverse untrusted network segments where passive network monitoring can capture them. Session IDs in Catalyst applications typically function as bearer tokens for authentication, making their exposure equivalent to credential compromise. The CPE identifier (cpe:2.3:a:rrwo:catalyst::plugin::statsd) confirms this affects the RRWO-maintained CPAN module, with the cleartext transmission occurring in the metrics reporting mechanism that sends application performance data including session metadata to StatsD collectors.
RemediationAI
Upgrade to Catalyst::Plugin::Statsd version 0.11.0 or later, which addresses the session ID leakage issue according to the vendor changelog at https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes and security advisory GHSA-gjvr-hq83-fc38. If immediate upgrade is not feasible, implement compensating controls: (1) Reconfigure StatsD communication to use localhost (127.0.0.1) exclusively, eliminating network transmission - this is the most effective mitigation with no functional side effects if StatsD daemon can be co-located; (2) Establish encrypted tunnels (IPsec, WireGuard, or SSH tunneling) for StatsD traffic to remote daemons, which adds latency (typically <5ms) and operational complexity but preserves remote monitoring capabilities; (3) Filter session IDs from metrics data before transmission by customizing the plugin's data serialization hooks, though this requires code modifications and may reduce debugging value. Organizations using Plack-Middleware-Statsd should also review CVE-2026-45179 and apply corresponding fixes. Audit existing StatsD configurations to identify any cross-network deployments requiring immediate action.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28997