Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against...

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.

The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.

Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.

In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.

AI Analysis

Metric injection vulnerability in Metrics::Any::Adapter::DogStatsd before version 0.04 for Perl

Basic Information

ID CVE-2026-50638

Source CPANSec

Published Jun 10, 2026 at 18:32

Modified Jun 11, 2026 at 19:11

Affected Product

Vendor PEVANS

Product Metrics::Any::Adapter::DogStatsd

Affected Versions PEVANS Metrics::Any::Adapter::DogStatsd 0

CWE Classification

CWE-93

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor PEVANS

Product Metrics::Any::Adapter::DogStatsd

Version 0.03 and below

References

{
    "lastseen": "",
    "description": "Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.\n\nMetrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.\n\nIn addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.",
    "published": "2026-06-10T18:32:21.666Z",
    "modified": "2026-06-11T19:11:42.654Z",
    "type": "cve",
    "title": "Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections",
    "source": "CPANSec",
    "references": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes\nhttps://www.cve.org/CVERecord?id=CVE-2026-50637\nhttps://www.cve.org/CVERecord?id=CVE-2026-9270",
    "id": "CVE-2026-50638",
    "bulletinFamily": "",
    "cwe": [
        "CWE-93"
    ],
    "cvelist": null,
    "sourceData": "PEVANS Metrics::Any::Adapter::DogStatsd 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Metrics::Any::Adapter::DogStatsd",
    "version": "0",
    "vendor": "PEVANS",
    "ai_description": "Metric injection vulnerability in Metrics::Any::Adapter::DogStatsd before version 0.04 for Perl",
    "ai_severity": "Critical",
    "ai_vendor": "PEVANS",
    "ai_product": "Metrics::Any::Adapter::DogStatsd",
    "ai_version": "0.03 and below",
    "ai_score": 9.1
}

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections_CVE-2026-50638