CVE-2026-50638
Description
Metrics::Any::Adapter::DogStatsd for Perl is vulnerable to metric injection via newline characters in metric names or tags.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Metrics::Any::Adapter::DogStatsd for Perl is vulnerable to metric injection via newline characters in metric names or tags.
Vulnerability
Versions of Metrics::Any::Adapter::DogStatsd for Perl prior to 0.04 are vulnerable to metric injection. The statsd protocol allows multiple metrics per packet, separated by newlines. The _tags function in this adapter does not sanitize tags for newline or statsd control characters, enabling metric injection through tags [1].
Exploitation
An attacker can exploit this vulnerability by sending specially crafted packets containing newline characters within metric names or tags. These malicious packets can be injected into the DogStatsd endpoint, bypassing input validation and leading to the execution of arbitrary metrics [1].
Impact
Successful exploitation allows an attacker to inject arbitrary metrics into the system. This can lead to data manipulation, denial of service by overwhelming the monitoring system, or potentially further compromise if the injected metrics trigger unintended actions or alerts within the monitored environment.
Mitigation
This vulnerability is fixed in Metrics::Any::Adapter::DogStatsd version 0.04, released on 2026-06-06. Users are advised to upgrade to this version or later. No workarounds are specified in the available references [1].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <0.04
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.