Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections.

The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.

Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.

In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.

Basic Information

ID CVE-2026-50639

Source CPANSec

Published Jun 10, 2026 at 18:32

Modified Jun 10, 2026 at 19:38

Affected Product

Vendor PEVANS

Product Metrics::Any::Adapter::SignalFx

Affected Versions PEVANS Metrics::Any::Adapter::SignalFx 0

CWE Classification

CWE-93

References

{
    "lastseen": "",
    "description": "Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.\n\nMetrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.\n\nIn addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.",
    "published": "2026-06-10T18:32:30.054Z",
    "modified": "2026-06-10T19:38:13.983Z",
    "type": "cve",
    "title": "Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections",
    "source": "CPANSec",
    "references": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes\nhttps://www.cve.org/CVERecord?id=CVE-2026-50637\nhttps://www.cve.org/CVERecord?id=CVE-2026-9270",
    "id": "CVE-2026-50639",
    "bulletinFamily": "",
    "cwe": [
        "CWE-93"
    ],
    "cvelist": null,
    "sourceData": "PEVANS Metrics::Any::Adapter::SignalFx 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Metrics::Any::Adapter::SignalFx",
    "version": "0",
    "vendor": "PEVANS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections_CVE-2026-50639