Datadog
Monthly
Metric and tag injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows attackers who control event tag content to inject arbitrary metrics, tags, and event data into the DogStatsd telemetry stream. The CVSS 9.8 score reflects an unauthenticated network-vector CWE-93 (CRLF/separator injection) flaw where the format_event method fails to sanitize commas, newlines, pipes, and colons - including an ineffective s/|//g regex that misinterprets the pipe as a regex metacharacter. No public exploit identified at time of analysis and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation interest despite the high CVSS rating.
Metric injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows remote attackers to forge or manipulate StatsD metrics by supplying unsanitised input containing newlines, pipes, or colons in stat names, values, or tags. With a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) rating and CWE-93 (CRLF Injection) classification, attackers can corrupt monitoring data, change metric name prefixes, or inject arbitrary metrics - the SYNOPSIS example of passing a web form 'loginName' parameter as a tag is explicitly called out as unsafe. EPSS is very low (0.03%) and no public exploit identified at time of analysis, but the trivial network attack profile means risk depends entirely on whether untrusted input reaches the library.
Metric and tag injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows attackers who control event tag content to inject arbitrary metrics, tags, and event data into the DogStatsd telemetry stream. The CVSS 9.8 score reflects an unauthenticated network-vector CWE-93 (CRLF/separator injection) flaw where the format_event method fails to sanitize commas, newlines, pipes, and colons - including an ineffective s/|//g regex that misinterprets the pipe as a regex metacharacter. No public exploit identified at time of analysis and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation interest despite the high CVSS rating.
Metric injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows remote attackers to forge or manipulate StatsD metrics by supplying unsanitised input containing newlines, pipes, or colons in stat names, values, or tags. With a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) rating and CWE-93 (CRLF Injection) classification, attackers can corrupt monitoring data, change metric name prefixes, or inject arbitrary metrics - the SYNOPSIS example of passing a web form 'loginName' parameter as a tag is explicitly called out as unsafe. EPSS is very low (0.03%) and no public exploit identified at time of analysis, but the trivial network attack profile means risk depends entirely on whether untrusted input reaches the library.