CVE-2026-50637
Description
Metrics::Any::Adapter::Statsd for Perl is vulnerable to metric injection due to improper validation of metric names and values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Metrics::Any::Adapter::Statsd for Perl is vulnerable to metric injection due to improper validation of metric names and values.
Vulnerability
Versions of Metrics::Any::Adapter::Statsd for Perl prior to 0.04 do not properly validate metric names and values. The statsd protocol allows multiple metrics per packet, separated by newlines. If metric names contain newline characters or statsd control characters like colons and pipes, metric injection vulnerabilities can occur.
Exploitation
An attacker can craft a malicious metric name containing newline characters and control characters such as colons or pipes. When the send method processes these names without proper validation, the injected characters can be interpreted as commands or separators, leading to metric injection.
Impact
Successful exploitation allows an attacker to inject arbitrary metrics into the StatsD server. This could lead to data manipulation, denial of service by overwhelming the StatsD server with malformed metrics, or potentially other impacts depending on how the StatsD data is processed downstream.
Mitigation
Version 0.04, released on 2026-06-06, addresses this vulnerability by modifying the _make method to block metric names containing characters below ASCII 32 (including newlines), colons, or pipes [1]. Users should upgrade to version 0.04 or later.
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <0.04
- Range: <0.04
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.