Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Network-reachable via injected strings with no auth or UI (AV:N/AC:L/PR:N/UI:N); impact is limited integrity corruption of telemetry data, with no confidentiality or availability effect.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.
Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.
In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
AnalysisAI
Metric injection in the Perl module Metrics::Any::Adapter::DogStatsd before 0.04 allows remote attackers to inject arbitrary StatsD/DogStatsD metrics by smuggling newline characters through unsanitized metric names and tags. Because the StatsD protocol treats newlines as packet delimiters for multiple metrics, attacker-controlled values forwarded into the adapter can forge additional metrics or tag payloads on the wire, with no public exploit identified at time of analysis and an EPSS score of 0.03% indicating low near-term exploitation probability.
Technical ContextAI
The vulnerable component is the CPAN distribution Metrics::Any::Adapter::DogStatsd authored by PEVANS, which extends Metrics::Any::Adapter::Statsd to support Datadog's DogStatsD extensions (tag support beyond plain StatsD). The StatsD line-oriented UDP protocol allows multiple metrics in a single packet separated by '\n' newlines, and DogStatsD additionally permits per-metric tags appended after a '|#' separator. The root cause is CWE-93 (Improper Neutralization of CRLF Sequences, 'CRLF Injection'): neither the metric-emit path inherited from the Statsd parent adapter nor the internal _tags helper validates or escapes newline characters and StatsD control characters ('|', ':', '#', '@') in caller-supplied metric names or tag values, so any attacker-controlled string flowing into the adapter is concatenated directly into the wire payload. A sibling vulnerability in the parent Metrics::Any::Adapter::Statsd module is tracked alongside this issue (see related CVE-2026-50637 referenced in the advisory).
RemediationAI
Vendor-released patch: Metrics::Any::Adapter::DogStatsd 0.04 - upgrade via cpan/cpanm/Carton (e.g. 'cpanm Metrics::Any::Adapter::DogStatsd@0.04') and simultaneously update Metrics::Any::Adapter::Statsd to 0.04 to address the related parent-module issue (CVE-2026-50637), per the release notes at https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes and the oss-security advisory at https://seclists.org/oss-sec/2026/q2/879. Where immediate upgrade is not possible, apply caller-side compensating controls: strip or reject '\n', '\r', '|', ':', '#' and '@' in any user-controlled string before passing it as a metric name, value, or tag (side effect: legitimate values containing these characters will be mangled or rejected), and avoid using request-derived data such as URL paths, user-agent strings or form fields directly as metric/tag identifiers (side effect: reduces dashboard granularity but eliminates the injection sink). As a network-layer defense, restrict egress of the StatsD/DogStatsD UDP port (default 8125) to only the intended collector host so that injected packets cannot be redirected, and consider terminating telemetry at a local agent that re-serializes metrics from a structured form rather than forwarding raw text.
A vulnerability was found in KBase Metrics. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab
Metric injection in the Perl module Metrics::Any::Adapter::Statsd before version 0.04 allows remote attackers to inject
Metric injection via unsanitized newline characters affects Metrics::Any::Adapter::SignalFx versions before 0.04 for Per
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36105
GHSA-m93c-ch8c-q8cj