Skip to main content

Metrics::Any::Adapter::Statsd EUVDEUVD-2026-36104

| CVE-2026-50637 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-10 CPANSec GHSA-q83q-ghhm-p7g4
8.2
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
3.7 LOW

Network-reachable only via a downstream app that passes untrusted strings into metric names (AC:H, PR:N); impact limited to integrity of monitoring data (I:L), no confidentiality or availability effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 11, 2026 - 20:24 vuln.today
CVSS changed
Jun 11, 2026 - 20:22 NVD
8.2 (HIGH)
Patch available
Jun 10, 2026 - 21:16 EUVD
CVE Published
Jun 10, 2026 - 18:32 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.

The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet.

The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.

Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.

AnalysisAI

Metric injection in the Perl module Metrics::Any::Adapter::Statsd before version 0.04 allows remote attackers to inject arbitrary StatsD metrics by supplying metric names or values containing newlines, colons, or pipes that the send method passes unvalidated into UDP packets. Because the StatsD protocol multiplexes multiple metrics per packet using newline delimiters, an attacker who controls any string flowing into a recorded metric can forge additional metrics, poisoning monitoring data and downstream alerting. EPSS is very low (0.03%), no public exploit is identified at time of analysis, and there is no CISA KEV listing.

Technical ContextAI

The vulnerability resides in the _make method of the Perl distribution Metrics::Any::Adapter::Statsd (CPAN author PEVANS), which serializes metrics into StatsD wire format and emits them as UDP datagrams. The StatsD protocol and its extensions (DogStatsD, etc.) use a line-oriented format where each metric is structured as 'name:value|type' and multiple metrics within a single packet are delimited by '\n'. CWE-93 (Improper Neutralization of CRLF Sequences) captures the root cause: the library accepted untrusted bytes - including ASCII control characters below 0x20 such as newline (0x0A), as well as the protocol-significant colon (0x3A) and pipe (0x7C) - directly into the wire encoding without sanitization. Version 0.04 remediates this in _make by rejecting metric names containing any byte below ASCII 32, colon, or pipe, neutralizing the injection primitive at the encoding boundary.

RemediationAI

Upgrade the Perl dependency Metrics::Any::Adapter::Statsd to vendor-released patch 0.04 or later from CPAN (https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes), which makes _make reject metric names containing characters below ASCII 32, colons, or pipes. Update cpanfile, dist.ini, or Carton/Carmel lockfiles and rebuild any deployed Perl images so the patched module is actually loaded at runtime, and review oss-security threads (seclists.org/oss-sec/2026/q2/878, /879, /880) for vendor context. If an immediate upgrade is not possible, apply a compensating wrapper around metric calls in application code that strips or rejects bytes < 0x20, ':' and '|' from all metric names and string values before they reach the adapter - the trade-off is that label values containing legitimate colons (e.g. IPv6 addresses, time strings) will be mangled or dropped, so prefer the upstream fix where feasible. Additionally, treat any externally influenced data as untrusted on the metric path and avoid using user-controlled identifiers as raw metric names.

Share

EUVD-2026-36104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy