CVE-2026-8788
Metric Injection in Net::Statsd::Lite Perl Module
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Net::Statsd::Lite versions through 0.10.0 for Perl, where the values passed to the set_add method were not properly validated for special characters such as newlines, colons, or pipes.
Because these characters were not checked, an attacker could inject additional Statsd metrics by supplying crafted input from untrusted sources, leading to metric injection.
This issue is similar to a previously fixed vulnerability (CVE-2026-46719) that addressed metric name injection in version 0.9.0.
How can this vulnerability impact me? :
The vulnerability allows attackers to inject arbitrary Statsd metrics by exploiting the lack of input validation in the set_add method.
This can lead to inaccurate or misleading metric data, which may affect monitoring, alerting, and performance analysis systems that rely on these metrics.
In environments where metrics influence automated decisions or billing, this could cause operational disruptions or financial inaccuracies.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Net::Statsd::Lite to a version later than 0.10.0 where the issue is fixed.
Additionally, ensure that values passed to the set_add method are sanitized to prevent injection of newlines, colons, or pipes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Net::Statsd::Lite versions through 0.10.0 allows metric injections due to improper validation of input values. This can lead to the injection of additional statsd metrics from untrusted sources, potentially compromising the integrity and reliability of monitoring data.
While the CVE description indicates a risk to data integrity and availability (CVSS 7.3 with impact on confidentiality, integrity, and availability), there is no direct information provided about its impact on compliance with standards such as GDPR or HIPAA.
Therefore, without explicit details on how this vulnerability might lead to unauthorized access to personal or protected health information, or how it might affect regulatory compliance, it is not possible to definitively assess its impact on compliance with common standards and regulations.