CVE-2026-45180
Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids
In short
A Perl plugin for Catalyst web framework may expose user session IDs to attackers if the connection to the statsd monitoring service isn't encrypted. An attacker could intercept these session IDs and use them to impersonate users.
Technical detail
Catalyst::Plugin::Statsd versions ≤0.10.0 transmit session identifiers in cleartext to statsd daemons over unencrypted channels (e.g., UDP). An attacker on the network path can passively intercept session IDs and use them as authentication tokens to gain unauthorized access to user accounts or sessions.
Summary generated and translated by AI from the official description.
Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids.
If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
RRWO · Catalyst::Plugin::StatsdWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc38https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xxhttps://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changeshttps://www.cve.org/CVERecord?id=CVE-2026-45179