CVE-2026-9270
Analyzed Analyzed - Analysis Complete
Metric Injection Vulnerability in DataDog DogStatsd Perl Library

Publication date: 2026-06-05

Last updated on: 2026-06-10

Assigner: CPANSec

Description
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-10
Generated
2026-06-26
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-9270
EUVD
EUVD-2026-34846
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
binary datadog to 0.07 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects DataDog::DogStatsd versions through 0.07 for Perl, where the software does not properly sanitize input, allowing metric injections from untrusted sources.

Specifically, the send_stats method fails to remove newlines from metric names, does not validate the content of the metric values, and does not validate tags, which can contain newlines, pipes, and colons. This allows attackers to manipulate metric names and inject arbitrary metrics.

An example given is passing a website form's "loginName" parameter as a tag, which is unsafe and can be exploited.

Impact Analysis

This vulnerability can allow attackers to inject malicious or misleading metrics into the monitoring system.

By manipulating metric names, values, and tags, attackers could corrupt monitoring data, potentially hiding real issues or creating false alerts.

This can lead to incorrect system monitoring, misinformed decision-making, and reduced trust in the monitoring infrastructure.

Mitigation Strategies

To mitigate this vulnerability, ensure that inputs to DataDog::DogStatsd are properly sanitized before being passed to the send_stats method.

  • Avoid passing untrusted data, such as user input from web forms, directly as metric names or tags.
  • Implement validation to remove or escape newlines, pipes, and colons in metric names and tags.
  • Restrict the data types and content of values passed to methods like set, gauge, count, and histogram.

Consider updating to a version of DataDog::DogStatsd that addresses this issue if available.

Detection Guidance

The vulnerability in DataDog::DogStatsd versions through 0.07 for Perl involves improper sanitization of inputs in the send_stats method, allowing metric injections via newlines in metric names, unvalidated values, and tags.

To detect this vulnerability on your system or network, you should monitor for unusual or malformed metric data that includes newline characters, pipes, or colons in metric names or tags, which are indicators of metric injection attempts.

Since the vulnerability relates to the content of metrics sent, you can inspect logs or network traffic for suspicious metric payloads.

  • Use network packet capture tools (e.g., tcpdump or Wireshark) to filter UDP or TCP traffic on the DogStatsd port (default 8125) and search for newline characters or unusual delimiters in metric data.
  • Example tcpdump command to capture DogStatsd traffic: tcpdump -i <interface> udp port 8125 -A | grep -P '\n|\||:'
  • Inspect application logs or DogStatsd logs for metrics containing unexpected newlines or special characters in metric names or tags.

Note that no specific commands are provided in the available context or resources, so these suggestions are based on the nature of the vulnerability described.

Compliance Impact

The provided information does not specify how the DataDog::DogStatsd metric injection vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart