HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11362Published Modified CNA CPANSec

CVE-2026-11362: DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a metric injection vulnerability in the DataDog::DogStatsd Perl library, versions 0.07 and earlier. The library is reachable over the network with no authentication required, because applications typically call it as part of handling untrusted input such as HTTP request data. Successful exploitation lets an attacker inject arbitrary StatsD metrics and events into a Datadog backend, tamper with monitoring data, and depending on backend parsing, trigger downstream integrity and confidentiality failures. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from CPANSec and upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle this Perl library. Any image layer containing DataDog::DogStatsd at or below version 0.07 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.8 (Critical) and weights it against each customer environment's compliance policy to determine routing priority. Triage findings are surfaced to the appropriate team inbox within the customer org based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fixed version appears in the upstream CPAN or CPANSec feed. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable code path is exposed over the network; an attacker can reach it by sending crafted input to any application endpoint that passes untrusted data through the DataDog::DogStatsd event or format_event methods.

  • AuthenticationNot required

    No credentials or account are needed; the injection surface is available to any unauthenticated party who can reach the application.

  • Victim interactionNot required

    Exploitation is fully server-side and requires no action from any user or operator.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

Blast Radius

  • An attacker injects fabricated metric names, values, and tags into the Datadog backend, corrupting dashboards, alerts, and SLO calculations that downstream teams rely on.
  • Injected newline and pipe characters allow the attacker to write entirely synthetic StatsD protocol messages, potentially forging health-check events or silencing real alerting.
  • Depending on how the Datadog backend and any connected automation (auto-scaling, incident response) consume metric data, tampered values can cause incorrect operational decisions at scale.
  • Confidentiality impact is high per CVSS; a backend that echoes or logs injected payloads may expose internal metric naming conventions, service topology, or environment identifiers to the attacker.

How HarborGuard Handles This

Available on HarborGuard: because no patched version of DataDog::DogStatsd has been published, HarborGuard continuously monitors the CPANSec advisory and CPAN release feed on every ingest cycle. The moment a fix version is released, a patched-image rebuild becomes available automatically, and customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads without manual intervention. While no upstream fix exists, customers can apply compensating controls: restrict network-policy egress from services that call DogStatsd so injected metrics cannot reach the Datadog intake endpoint; sanitize or allowlist event tag content at the application layer before passing it to the library; and consider feature-flag gating any code paths that forward untrusted user input into DogStatsd event tags. The CVSS score of 9.8 places this in the Critical tier, so HarborGuard will surface it at the highest routing priority in triage queues as soon as a fix version is detected upstream.

See how HarborGuard automates this
Affected packages
  • BINARY / DataDog::DogStatsd
    ≤ 0.07
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References