CVE-2026-11373
Received Received - Intake
Metric Injection in Net::Statsite::Client Perl Library

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: CPANSec

Description
Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-11373
EUVD
EUVD-2026-38224
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jan_seidl net_statsite_client 1.1.0
jan_seidl net_statsite_client to 1.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Net::Statsite::Client versions through 1.1.0 for Perl is due to improper sanitization of metric names and values, which allows metric injection attacks.

Specifically, newlines are not removed from metric names, and values are not sanitized for newlines or other protocol control characters such as colons or pipes. This enables attackers to inject malicious input that can forge additional metric lines or corrupt existing ones.

The issue arises because the send() method serializes metrics using a format where ':' and '|' act as field separators and '\n' as record separators, but the sanitization misses newline characters and does not sanitize values at all.

Impact Analysis

This vulnerability can allow an attacker to perform injection attacks by inserting malicious metric data into the statsite protocol communication.

Such injections can lead to forged additional metric lines (cross-record injection) or corruption of existing metric records (within-record injection), potentially misleading monitoring systems or causing incorrect metric aggregation.

Detection Guidance

This vulnerability involves injection of newlines and control characters into metric names and values sent via the Statsite/StatsD UDP protocol. Detection can focus on monitoring UDP traffic to the statsite server for suspicious metric payloads containing unexpected newline characters or protocol control characters such as colons (:) and pipes (|) within metric names or values.

You can use network packet capture tools like tcpdump or Wireshark to capture UDP packets on the port used by statsite (default is often 8125). For example, a tcpdump command to capture UDP traffic on port 8125 would be:

  • tcpdump -i <interface> udp port 8125 -A

After capturing, inspect the payloads for metric lines containing unexpected newline characters or multiple metric lines injected in a single UDP packet.

Additionally, on the system running the vulnerable Net::Statsite::Client, you can audit logs or application output for malformed metric names or values containing control characters.

Mitigation Strategies

To mitigate this vulnerability, you should update Net::Statsite::Client to a version that includes the patch which properly sanitizes metric names and values by removing newlines and control characters.

If an immediate upgrade is not possible, consider implementing input validation or sanitization on the client side to strip or escape newline characters and protocol separators (':', '|') from metric names and values before sending.

Also, monitor and restrict network access to the statsite UDP port to trusted sources only, reducing the risk of injection from untrusted clients.

Compliance Impact

The vulnerability in Net::Statsite::Client allows metric injections due to improper sanitization of metric names and values, which could lead to injection attacks via the Statsite/StatsD UDP protocol.

However, there is no information provided in the available context or resources about how this vulnerability specifically impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11373. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart