Skip to main content

Net::Async::Statsd::Client EUVDEUVD-2026-34188

| CVE-2026-8722 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-03 CPANSec GHSA-hpgh-hpwg-532v
6.5
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from Vendor (CPANSec) · only source for this CVE.

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 20:22 vuln.today
CVSS changed
Jun 04, 2026 - 20:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 03, 2026 - 23:45 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections.

The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

AnalysisAI

Metric name injection in Net::Async::Statsd::Client (Perl, versions through 0.005) allows network-reachable, unauthenticated attackers to inject arbitrary StatsD metrics by supplying untrusted input containing unfiltered newlines, colons, or pipe characters. Because the StatsD wire protocol uses these characters as structural delimiters, unsanitized metric names sourced from user-controlled data can be interpreted as additional, attacker-controlled metrics by the receiving StatsD server. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply crafted metric name with embedded newline/pipe/colon
Delivery
Application passes unsanitized string to Net::Async::Statsd::Client
Exploit
Library serializes string into StatsD wire format without stripping delimiters
Execution
StatsD daemon parses injected string as additional metric records
Persist
Attacker-controlled metrics appear in monitoring backend
Impact
Monitoring dashboards or alerts are manipulated

Vulnerability AssessmentAI

Exploitation The application using Net::Async::Statsd::Client must pass attacker-controlled or externally-sourced string data directly as a metric name argument to the library without prior sanitization - this is the sole enabling condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) reflects network-reachable, zero-prerequisite exploitation with limited confidentiality and integrity impact and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker interacting with a web application that records user-supplied values (such as API endpoint names, user identifiers, or search terms) as StatsD metric names crafts a request containing a string like 'legit.metric:0|c\ninjected.metric:9999|c', which Net::Async::Statsd::Client forwards unsanitized to the StatsD daemon. The StatsD server parses this as two separate metric records, polluting monitoring dashboards, potentially triggering false capacity alerts, or skewing security anomaly detection. …
Remediation No vendor-released patch identified at time of analysis - an exact fixed version is not confirmed in the available advisory data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Net

View all
CVE-2026-33811 HIGH POC
7.5 May 07

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali

CVE-2026-45491 MEDIUM POC
5.5 Jun 09

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe

CVE-2024-57854 CRITICAL
9.1 Mar 05

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

CVE-2026-11373 CRITICAL
9.1 Jun 22

Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name

CVE-2026-45591 HIGH
7.5 Jun 09

Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru

CVE-2026-45490 HIGH
7.8 Jun 09

Local privilege escalation in Microsoft .NET allows an authenticated low-privileged user to elevate to higher privileges

CVE-2025-26646 HIGH
8.0 May 13

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized att

CVE-2026-49941 HIGH
7.5 Jun 04

Denial of service in the Perl module Net::CIDR::Set through version 0.20 allows remote unauthenticated attackers to trig

CVE-2026-40198 HIGH
7.5 Apr 10

IPv6 address validation bypass in Net::CIDR::Lite for Perl (versions <0.23) allows remote attackers to circumvent IP acc

CVE-2026-57081 HIGH
7.5 Jun 30

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecod

CVE-2026-57080 HIGH
7.5 Jun 30

Remote memory exhaustion in the Net::BitTorrent Perl module (all versions through 2.0.1) lets any unauthenticated peer i

CVE-2026-45190 MEDIUM
6.5 May 10

Net::CIDR::Lite Perl module versions before 0.24 fail to properly validate IP address and CIDR mask inputs, allowing att

Share

EUVD-2026-34188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy