CVE-2026-46739
Metric Injection Vulnerability in Net::Statsd Perl Module
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46739 is a security vulnerability in the perl5-Net-Statsd module where metric names and values are not properly validated, allowing an attacker to inject unauthorized metrics.
The vulnerability arises because the statsd wire format uses the pattern `name:value|type` and allows multiple metrics to be sent in a single UDP datagram separated by newlines. Since metric names are not checked for newlines, colons, or pipes, an attacker can include these control characters to forge additional malicious metric lines.
Additionally, the update_stats and gauge methods do not verify that values are numeric, which further enables metric injection.
The fix involves validating metric names and values to reject forbidden characters, preventing injection of extra metrics.
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject unauthorized or forged metrics into the monitoring system.
Such metric injection can lead to inaccurate monitoring data, potentially masking real issues or triggering false alarms.
It may also be exploited to manipulate system behavior or analytics that rely on these metrics, undermining trust in system health and performance data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves injection of additional statsd metrics by exploiting unvalidated metric names and values containing control characters such as newlines, colons, or pipes.
To detect this vulnerability on your network or system, you can monitor the UDP traffic sent to the statsd server for suspicious metric lines that contain unexpected control characters or multiple metrics packed into a single datagram.
Commands to help detect this might include capturing UDP packets on the statsd port (usually 8125) and inspecting their contents for suspicious characters.
- Use tcpdump to capture UDP packets on port 8125: tcpdump -vv -s 0 -l -n udp port 8125
- Pipe the output to grep or a similar tool to search for newline, colon, or pipe characters within metric names or values.
- Example: tcpdump -vv -s 0 -l -n udp port 8125 | grep -P '[\n\r\|:]'
Additionally, reviewing application logs or code that generates statsd metrics for untrusted input being passed without validation can help identify vulnerable usage.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to ensure that metric names and values are properly validated to reject any control characters such as newlines, colons, or pipes that could enable metric injection.
Specifically, update your perl5-Net-Statsd module to version 0.13 or later, which includes validation functions (_validate_metric_name() and _validate_metric_value()) that prevent injection by rejecting forbidden characters.
If immediate upgrade is not possible, implement input validation in your application code to sanitize or reject untrusted metric names and values before sending them to statsd.
Monitor and restrict access to the statsd UDP port to trusted sources only, reducing the risk of malicious metric injection from external or untrusted hosts.