[<prev] [day] [month] [year] [list]
Message-ID: <d8728694-98be-4f17-ab76-f02d3d311c7d@cpansec.org>
Date: Sat, 16 May 2026 14:38:54 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-46719: Net::Statsd::Lite versions before 0.9.0 for Perl
allowed metric injections
========================================================================
CVE-2026-46719 CPAN Security Group
========================================================================
CVE ID: CVE-2026-46719
Distribution: Net-Statsd-Lite
Versions: before 0.9.0
MetaCPAN: https://metacpan.org/dist/Net-Statsd-Lite
VCS Repo: https://github.com/robrwo/Net-Statsd-Lite
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric
injections
Description
-----------
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric
injections.
The metric names were not checked for newlines, colons or pipes.
Metrics generated from untrusted sources could inject additional statsd
metrics.
Problem types
-------------
- CWE-93 Improper Neutralization of CRLF Sequences
Workarounds
-----------
Apply the patch.
Alternatively, validate that all metrics sent to the client based on
untrusted data do not contain metric injections.
Solutions
---------
Upgrade to Net::Statsd::Lite version 0.9.0 or later.
References
----------
https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes
https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch
Timeline
--------
- 2026-05-14: Issue reported to CPANSec
- 2026-05-15: Author notified
- 2026-05-16: Fix released
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
