CVE-2026-46740
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections
In short
A Perl module for tracking application metrics failed to validate user input, allowing attackers to inject fake metrics into monitoring systems. This could lead to misleading monitoring data and hide real performance issues.
Technical detail
Mojolicious::Plugin::Statsd versions ≤0.04 do not sanitize metric names and values for newlines, colons, or pipes, enabling metric injection attacks. Untrusted input passed to metrics is the attack vector; the vulnerability permits injection of arbitrary statsd protocol messages, potentially masking legitimate metrics and triggering false alerts.
Summary generated and translated by AI from the official description.
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections.
The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Version 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
RRWO · Mojolicious::Plugin::StatsdWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →