Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <f1416217-3d7d-4d46-8a7b-a87a5c694516@cpansec.org>
Date: Mon, 18 May 2026 07:41:51 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-8788: Net::Statsd::Lite versions through 0.10.0 for Perl
 allowed metric injections

========================================================================
CVE-2026-8788                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8788
   Distribution:  Net-Statsd-Lite
       Versions:  through 0.10.0

       MetaCPAN:  https://metacpan.org/dist/Net-Statsd-Lite
       VCS Repo:  https://github.com/robrwo/Net-Statsd-Lite


Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric
injections

Description
-----------
Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric
injections.

The values from the set_add method were not checked for newlines,
colons or pipes. Metrics generated from untrusted sources could inject
additional statsd metrics.

Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric
names.

Problem types
-------------
- CWE-93 Improper Neutralization of CRLF Sequences

Workarounds
-----------
In version 0.10.0, use the secure_set_add method which logs an HMAC
digest of the value instead of the raw value.

Validate that all values sent to the client based on untrusted data do
not contain metric injections.


Solutions
---------
Upgrade to Net::Statsd::Lite version 0.10.1 or later.


References
----------
https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes
https://www.cve.org/CVERecord?id=CVE-2026-46719

Timeline
--------
- 2026-05-14: Issue reported to CPANSec
- 2026-05-15: Author notified
- 2026-05-16: Fix released for CVE-2026-46719
- 2026-05-17: CVE-2026-8788 identified by author
- 2025-05-17: Fix released for CVE-2026-8788

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.