Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Network-reachable only via a downstream app that passes untrusted strings into metric names (AC:H, PR:N); impact limited to integrity of monitoring data (I:L), no confidentiality or availability effect.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet.
The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.
Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
AnalysisAI
Metric injection in the Perl module Metrics::Any::Adapter::Statsd before version 0.04 allows remote attackers to inject arbitrary StatsD metrics by supplying metric names or values containing newlines, colons, or pipes that the send method passes unvalidated into UDP packets. Because the StatsD protocol multiplexes multiple metrics per packet using newline delimiters, an attacker who controls any string flowing into a recorded metric can forge additional metrics, poisoning monitoring data and downstream alerting. EPSS is very low (0.03%), no public exploit is identified at time of analysis, and there is no CISA KEV listing.
Technical ContextAI
The vulnerability resides in the _make method of the Perl distribution Metrics::Any::Adapter::Statsd (CPAN author PEVANS), which serializes metrics into StatsD wire format and emits them as UDP datagrams. The StatsD protocol and its extensions (DogStatsD, etc.) use a line-oriented format where each metric is structured as 'name:value|type' and multiple metrics within a single packet are delimited by '\n'. CWE-93 (Improper Neutralization of CRLF Sequences) captures the root cause: the library accepted untrusted bytes - including ASCII control characters below 0x20 such as newline (0x0A), as well as the protocol-significant colon (0x3A) and pipe (0x7C) - directly into the wire encoding without sanitization. Version 0.04 remediates this in _make by rejecting metric names containing any byte below ASCII 32, colon, or pipe, neutralizing the injection primitive at the encoding boundary.
RemediationAI
Upgrade the Perl dependency Metrics::Any::Adapter::Statsd to vendor-released patch 0.04 or later from CPAN (https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes), which makes _make reject metric names containing characters below ASCII 32, colons, or pipes. Update cpanfile, dist.ini, or Carton/Carmel lockfiles and rebuild any deployed Perl images so the patched module is actually loaded at runtime, and review oss-security threads (seclists.org/oss-sec/2026/q2/878, /879, /880) for vendor context. If an immediate upgrade is not possible, apply a compensating wrapper around metric calls in application code that strips or rejects bytes < 0x20, ':' and '|' from all metric names and string values before they reach the adapter - the trade-off is that label values containing legitimate colons (e.g. IPv6 addresses, time strings) will be mangled or dropped, so prefer the upstream fix where feasible. Additionally, treat any externally influenced data as untrusted on the metric path and avoid using user-controlled identifiers as raw metric names.
A vulnerability was found in KBase Metrics. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab
Metric injection in the Perl module Metrics::Any::Adapter::DogStatsd before 0.04 allows remote attackers to inject arbit
Metric injection via unsanitized newline characters affects Metrics::Any::Adapter::SignalFx versions before 0.04 for Per
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36104
GHSA-q83q-ghhm-p7g4