Skip to main content

Net::Statsd::Lite EUVDEUVD-2026-30739

| CVE-2026-8788 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
7.3
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from Vendor (CNA) · only source for this CVE.

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
May 19, 2026 - 14:22 vuln.today
CVSS changed
May 19, 2026 - 14:22 NVD
7.3 (HIGH)
CVE Published
May 18, 2026 - 06:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Metric injection in the Perl module Net::Statsd::Lite through version 0.10.0 allows remote attackers to inject arbitrary StatsD metrics by smuggling control characters (CRLF) into metric names or values that the library forwards without sanitization. The flaw was disclosed on the oss-security mailing list on 2026-05-18 by maintainer Robert Rothenberg, and no public exploit identified at time of analysis; EPSS is very low (0.03%, 8th percentile), reflecting limited mass-exploitation interest in a niche telemetry library.

Technical ContextAI

Net::Statsd::Lite is a lightweight Perl client used by applications to emit StatsD-format metrics (counters, gauges, timers) over UDP/TCP to a StatsD aggregator such as Graphite, Datadog Agent, or Telegraf. The root cause class is CWE-93 (Improper Neutralization of CRLF Sequences), commonly known as CRLF/argument injection: because StatsD packets are newline-delimited line-oriented text, any unescaped newline or pipe character in a user-supplied metric name, tag, or value lets an attacker terminate the current line and append entirely new metric records. The library prior to 0.10.1 forwarded caller-supplied strings into the wire protocol without stripping or rejecting these delimiters.

RemediationAI

Upgrade Net::Statsd::Lite to the upstream fix available (release v0.10.1) by installing the new distribution from CPAN (e.g., cpanm Net::Statsd::Lite@0.10.1) as documented in the v0.10.1 changes file on MetaCPAN. If upgrade is not immediately possible, the most effective compensating control is to sanitize at the application boundary - strip or reject the bytes \r, \n, and the StatsD delimiter | from any caller-supplied metric name, tag, or value before invoking the module (trade-off: requires code change in every call site and silently drops legitimate characters that happen to collide). Additionally, restrict UDP/TCP egress so the StatsD client can only reach the intended aggregator and ensure the aggregator and any downstream alerting do not treat injected metrics as authoritative; the trade-off is operational noise if metric names suddenly change shape after sanitization.

Share

EUVD-2026-30739 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy