VYPR
← All advisories
High severity8.2NVD Advisory· Published May 17, 2026· Updated May 18, 2026

CVE-2026-46720

CVE-2026-46720

Description

Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections.

The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Net::Statsd::Tiny before 0.3.8 allowed injection of arbitrary statsd metrics via unvalidated metric names and values, enabling data spoofing or disruption.

Vulnerability

Net::Statsd::Tiny versions before 0.3.8 fail to validate metric names and values for characters below ASCII 32 (including newlines), colons, and pipes. An attacker who can influence the metric name or value can inject additional statsd metrics by inserting newlines, since the protocol uses newlines to separate metrics. Affected versions are all prior to 0.3.8.

Exploitation

An attacker needs the ability to supply metric names or values (e.g., via untrusted input) to a Net::Statsd::Tiny client. By crafting input containing a newline character, the attacker can inject extra lines that become separate metrics sent to the statsd server. No authentication is required for injection if the client processes untrusted data.

Impact

Successful exploitation allows the attacker to inject arbitrary statsd metrics, potentially flooding the server with false data, altering monitoring, or masking real issues. This is a form of data injection with integrity and availability impact.

Mitigation

The fix was released in version 0.3.8, which validates metric names and values to reject characters below ASCII 32, colons, and pipes. Users should upgrade to 0.3.8 or later. The commit [1] provides the patch.

References
  1. https://github.com/robrwo/Net-Statsd-Tiny/commit/06f814f52fbcc0b2afddf7a2d6f8137fd3cede13.patch

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
06f814f52fbc

Validate metrics and values to block potential metric injections [CVE-2026-46720]

https://github.com/robrwo/Net-Statsd-TinyRobert RothenbergMay 17, 2026via nvd-ref
commit
3 files changed · +9 1
  • Changes+4 0 modified
    @@ -1,6 +1,10 @@
 Revision history for Net-Statsd-Tiny
 
 {{$NEXT}}
+  [Security]
+  - Metrics names and values are now validated to ensure they do not contain characters below ASCII 32 (including newlines),
+    colon (":") or pipe ("|") characters that might allow metric injection. CVE-2026-46720
+
   [Documentation]
   - Add a security policy.
  • cpanfile+1 1 modified
    @@ -1,6 +1,7 @@
 # This file is generated by Dist::Zilla::Plugin::CPANFile v6.032
 # Do not edit this file directly. To change prereqs, edit the `dist.ini` file.
 
+requires "Carp" => "0";
 requires "Class::Accessor::Fast" => "0";
 requires "IO::Socket" => "1.18";
 requires "base" => "0";
@@ -9,7 +10,6 @@ requires "strict" => "0";
 requires "warnings" => "0";
 
 on 'test' => sub {
-  requires "Carp" => "0";
   requires "Devel::StrictMode" => "0";
   requires "File::Spec" => "0";
   requires "IO::Select" => "0";
  • lib/Net/Statsd/Tiny.pm+4 0 modified
    @@ -9,6 +9,7 @@ use warnings;
 
 use base qw/ Class::Accessor::Fast /;
 
+use Carp ();
 use IO::Socket 1.18 ();
 
 our $VERSION = 'v0.3.8';
@@ -291,6 +292,9 @@ sub decrement {
 sub _record {
     my ( $self, $suffix, $metric, $value ) = @_;
 
+    Carp::croak "malformed metric" if $metric =~ /[\N{U+00}-\N{U+1f}:|]/;
+    Carp::croak "malformed value"  if $value  =~ /[\N{U+00}-\N{U+1f}:|]/;
+
     my $data = $self->prefix . $metric . ':' . $value . $suffix . "\n";
 
     if ( $self->autoflush ) {

Vulnerability mechanics

Root cause

"Missing validation of metric names and values allows injection of newline, colon, and pipe characters into statsd protocol messages."

Attack vector

An attacker supplies untrusted input that is used as a metric name or set value in a Net::Statsd::Tiny call. Because the library did not sanitize characters below ASCII 32 (including newlines), colons, or pipes, the attacker can embed additional statsd metrics into a single UDP packet [CWE-93]. The injection is triggered over the network by sending crafted data to any application that passes user-controlled strings to the library's metric-recording methods. No authentication or special privileges are required (CVSS PR:N).

Affected code

The vulnerable code is in `lib/Net/Statsd/Tiny.pm` in the `_record` method, which concatenates metric name, colon, value, suffix, and newline without sanitization. The patch adds validation at line 294-295 of that file [patch_id=424447].

What the fix does

The patch adds two validation checks in the `_record` method that call `Carp::croak` if the metric name or value matches the character class `[\N{U+00}-\N{U+1f}:|]` [patch_id=424447]. This rejects any string containing control characters (including newlines), colons, or pipes before the statsd message is constructed. The `Carp` module dependency is also moved from the test-only block to a runtime requirement so the validation is always available.

Preconditions

  • inputThe application must pass attacker-controlled input as a metric name or value to Net::Statsd::Tiny methods (e.g., gauge, increment, decrement).
  • configThe library must be version 0.3.7 or earlier.

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.