CVE-2026-8788
Description
Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections.
The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Net::Statsd::Lite up to 0.10.0 does not sanitize metric values in set_add, allowing injection of arbitrary statsd metrics from untrusted input.
Vulnerability
Net::Statsd::Lite for Perl versions through 0.10.0 fail to sanitize values passed to the set_add method. Newlines, colons, or pipe characters in metric values are not filtered, enabling an attacker to inject arbitrary additional statsd metrics. This issue affects all versions up to and including 0.10.0. A prior similar issue (CVE-2026-46719) was fixed in 0.9.0, but only covered metric names, not values [1].
Exploitation
An attacker who controls the value input to set_add can craft a payload containing newline, colon, or pipe characters to inject additional statsd metrics. No authentication or special network position is required if the attacker can supply the metric value directly (e.g., via user input or untrusted data source). The injection occurs during metric generation, which is then transmitted to the statsd collector.
Impact
Successful exploitation allows an attacker to inject arbitrary statsd metrics into the monitoring stream. This can lead to data corruption, metric manipulation, or injection of malicious metric names/values that may be processed by downstream analytics systems. The confidentiality and integrity of monitoring data are compromised, though the extent depends on how the injected metrics are consumed.
Mitigation
Upgrade to version 0.10.1 or later, which was released to address this issue [1]. As a workaround, sanitize all input values passed to set_add at the application level, stripping or rejecting newline, colon, and pipe characters before calling the method.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=0.10.0
- Range: <=0.10.0
Patches
1327568b2d113Check that values do not allow metric injection [CVE-2026-8788]
3 files changed · +12 −2
Changes+7 −1 modified@@ -1,9 +1,15 @@ Revision history for Net-Statsd-Lite {{$NEXT}} + [Security] + - Values are now validated to ensure they do not contain characters below ASCII 32 (including newlines), + colon (":") or pipe ("|") characters that might allow metric injection. CVE-2026-8788 + [Documentation] - Added missing GitHub reference to Changes. + - Revised wording in Changes. + v0.10.0 2026-05-16 10:29:04+01:00 Europe/London [Enhancements] - Metrics names with any characters below ASCII 32 will be blocked. @@ -18,7 +24,7 @@ v0.10.0 2026-05-16 10:29:04+01:00 Europe/London v0.9.0 2026-05-16 02:10:00+01:00 Europe/London [Security] - - Metrics names are now validated to ensure they do not contain newlines, ":" or "|" characters that + - Metrics names are now validated to ensure they do not contain newlines, colon (":") or pipe ("|") characters that might allow metric injection. CVE-2026-46719 [Documentation]
lib/Net/Statsd/Lite.pm+1 −0 modified@@ -430,6 +430,7 @@ sub record_metric( $self, $suffix, $metric, $value, $ ) { croak "malformed suffix" if $suffix =~ /[\n]/; croak "malformed metric" if $metric =~ /[\N{U+00}-\N{U+1f}:|]/; + croak "malformed value" if $value =~ /[\N{U+00}-\N{U+1f}:|]/; my $data = $self->prefix . $metric . ':' . $value . $suffix . "\n";
README.md+4 −1 modified@@ -46,10 +46,13 @@ specified. But it otherwise does not enforce maximum/minimum values. # RECENT CHANGES -Changes for version v0.10.1 (2026-05-16) +Changes for version v0.10.1 (2026-05-17) +- Security + - Values are now validated to ensure they do not contain characters below ASCII 32 (including newlines), colon (":") or pipe ("|") characters that might allow metric injection. CVE-2026-8788 - Documentation - Added missing GitHub reference to Changes. + - Revised wording in Changes. See the `Changes` file for more details.
Vulnerability mechanics
Root cause
"Missing input validation on metric values allows injection of newlines, colons, or pipes, enabling an attacker to inject arbitrary statsd metrics."
Attack vector
An attacker supplies untrusted input to the `set_add` method (or any method that passes a value to `record_metric`). If the value contains newline, colon, or pipe characters, those characters are not sanitized before the metric is formatted and sent. Because the statsd protocol uses colons to separate metric names from values, pipes to separate multiple metrics, and newlines to terminate lines, an attacker can inject arbitrary additional metrics into the stream [CWE-93]. The attack requires no authentication and can be performed over the network wherever the application accepts untrusted metric values.
Affected code
The vulnerability exists in `lib/Net/Statsd/Lite.pm` in the `record_metric` subroutine. The method validates the `$suffix` and `$metric` parameters for injection characters but did not validate the `$value` parameter before the patch [patch_id=831076].
What the fix does
The patch adds a single line to `lib/Net/Statsd/Lite.pm` that validates the `$value` parameter with the same regex already used for metric names: `croak "malformed value" if $value =~ /[\N{U+00}-\N{U+1f}:|]/;` [patch_id=831076]. This check rejects any value containing characters below ASCII 32 (including newlines), colons, or pipes, which are the characters that could be used to inject additional statsd metrics. The same validation was already applied to metric names in version 0.9.0 (CVE-2026-46719), and this patch closes the remaining gap for metric values.
Preconditions
- inputThe application must pass untrusted user input as a metric value to Net::Statsd::Lite methods such as set_add.
- authNo authentication is required; the attacker can be unauthenticated.
Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.