CVE-2026-46740
Metric Injection in Mojolicious::Plugin::Statsd
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mojolicious | plugin_statsd | to 0.04 (inc) |
| mojolicious | plugin_statsd | to 0.06 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in Mojolicious::Plugin::Statsd versions through 0.04 for Perl, where metric names and set values were not properly checked for special characters such as newlines, colons, or pipes.
This lack of validation allows an attacker to inject additional statsd metrics by crafting metrics from untrusted sources, effectively enabling metric injection.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject unauthorized metrics into your statsd monitoring system.
Such metric injections could lead to misleading monitoring data, potentially causing incorrect system behavior, misinterpretation of system health, or masking of real issues.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Mojolicious::Plugin::Statsd to version 0.06 or later. Version 0.06 changes the module to use a separate statsd client that addresses the metric injection issue by using a fixed version of Net::Statsd::Tiny.