CVE-2026-45179
Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses
In short
A Perl middleware for Plack called Statsd may expose user IP addresses if the connection to the monitoring system isn't secure. This is a privacy risk because attackers on the network could see who is accessing the application.
Technical detail
CWE-319 (Cleartext Transmission of Sensitive Information): Plack::Middleware::Statsd versions <0.9.0 transmit unencrypted user IP addresses via UDP to statsd daemons without encryption or authentication. An attacker with network access to the statsd communication channel can passively intercept IP addresses. Mitigation in v0.9.0 replaces plaintext IP logging with HMAC-signed values, available only when explicitly configured.
Summary generated and translated by AI from the official description.
Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses.
If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked.
Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
RRWO · Plack::Middleware::StatsdWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →