CVE-2026-9270
Metric Injection Vulnerability in DataDog DogStatsd Perl Library
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| datadog | dogstatsd | to 0.07 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
| CWE-150 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects DataDog::DogStatsd versions through 0.07 for Perl, where the software does not properly sanitize input, allowing metric injections from untrusted sources.
Specifically, the send_stats method fails to remove newlines from metric names, does not validate the content of the metric values, and does not validate tags, which can contain newlines, pipes, and colons. This allows attackers to manipulate metric names and inject arbitrary metrics.
An example given is passing a website form's "loginName" parameter as a tag, which is unsafe and can be exploited.
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject malicious or misleading metrics into the monitoring system.
By manipulating metric names, values, and tags, attackers could corrupt monitoring data, potentially hiding real issues or creating false alerts.
This can lead to incorrect system monitoring, misinformed decision-making, and reduced trust in the monitoring infrastructure.