Skip to main content

Catalyst::Plugin::Statsd EUVDEUVD-2026-28997

| CVE-2026-45180 HIGH
Cleartext Transmission of Sensitive Information (CWE-319)
2026-05-10 CPANSec
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 12, 2026 - 17:45 vuln.today
CVSS changed
May 12, 2026 - 15:22 NVD
7.5 (HIGH)
CVE Published
May 10, 2026 - 20:03 nvd
UNKNOWN (no severity yet)
CVE Published
May 10, 2026 - 20:03 nvd
HIGH 7.5

DescriptionCVE.org

Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids.

If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens.

AnalysisAI

Session ID disclosure in Catalyst::Plugin::Statsd for Perl (versions ≤0.10.0) occurs when the StatsD communication channel lacks encryption, leaking authentication tokens over unsecured UDP to remote StatsD daemons. CVSS 7.5 (High) reflects network-accessible confidentiality impact, but EPSS score of 0.03% (9th percentile) and SSVC assessment (no observed exploitation, partial technical impact) indicate limited real-world exploitation activity. Vendor advisory from GitHub Security (GHSA-gjvr-hq83-fc38) confirms the issue with related advisories for similar Plack-Middleware-Statsd vulnerability (CVE-2026-45179).

Technical ContextAI

Catalyst::Plugin::Statsd is a Perl plugin integrating StatsD metrics collection into Catalyst web applications. The vulnerability stems from CWE-319 (Cleartext Transmission of Sensitive Information): session identifiers are transmitted unencrypted to StatsD daemons via UDP packets. When StatsD daemons reside on external networks rather than localhost, session IDs traverse untrusted network segments where passive network monitoring can capture them. Session IDs in Catalyst applications typically function as bearer tokens for authentication, making their exposure equivalent to credential compromise. The CPE identifier (cpe:2.3:a:rrwo:catalyst::plugin::statsd) confirms this affects the RRWO-maintained CPAN module, with the cleartext transmission occurring in the metrics reporting mechanism that sends application performance data including session metadata to StatsD collectors.

RemediationAI

Upgrade to Catalyst::Plugin::Statsd version 0.11.0 or later, which addresses the session ID leakage issue according to the vendor changelog at https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes and security advisory GHSA-gjvr-hq83-fc38. If immediate upgrade is not feasible, implement compensating controls: (1) Reconfigure StatsD communication to use localhost (127.0.0.1) exclusively, eliminating network transmission - this is the most effective mitigation with no functional side effects if StatsD daemon can be co-located; (2) Establish encrypted tunnels (IPsec, WireGuard, or SSH tunneling) for StatsD traffic to remote daemons, which adds latency (typically <5ms) and operational complexity but preserves remote monitoring capabilities; (3) Filter session IDs from metrics data before transmission by customizing the plugin's data serialization hooks, though this requires code modifications and may reduce debugging value. Organizations using Plack-Middleware-Statsd should also review CVE-2026-45179 and apply corresponding fixes. Audit existing StatsD configurations to identify any cross-network deployments requiring immediate action.

Share

EUVD-2026-28997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy