How is CVE-2026-11373 exploited?

Network reachability (required): The attacker must be able to send data over the network to any service or pipeline that passes attacker-influenced metric names or values through the affected library. Authentication (not-required): No authentication is required; the injection is possible through any code path that accepts external input and forwards it to Net::Statsite::Client without prior login. Victim interaction (not-required): No user interaction is needed; exploitation is fully automated once attacker-controlled input reaches the library. Attack complexity (info): Attack complexity is low; the exploit is reliable and requires no special conditions, race conditions, or environmental setup beyond supplying crafted input containing newlines or protocol control characters.

What is the impact of CVE-2026-11373?

An attacker can inject forged metric records into the statsite data stream, polluting dashboards and alerting pipelines with fabricated counters, timers, or gauges. Injected metrics can overwrite or shadow legitimate metrics, masking real performance degradation or security-relevant events from operators. Confidential metric names or sampling logic derived from internal service names may be partially disclosed through crafted injection payloads that echo data back through the metrics pipeline. Persistent injection can degrade the integrity of historical metrics stored downstream, corrupting capacity planning, SLO tracking, or incident post-mortems.

Back to search

CRITICALCVE-2026-11373Published 2026-06-22Modified 2026-06-22CNA CPANSec

CVE-2026-11373: Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a metric injection vulnerability in Net::Statsite::Client, a Perl client library for the statsite (statsd-variant) protocol, affecting all versions through 1.1.0. The library fails to strip newlines from metric names and fails to sanitize metric values for newlines, colons, and pipe characters, which are control characters in the statsite protocol. An attacker who can influence metric names or values sent through the library can inject arbitrary forged metrics into the statsite data stream, corrupting monitoring data or masking malicious activity. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including CPANSec) within minutes of publication and matched against customer images, including custom-built images that bundle Net::Statsite::Client as a dependency.

Available

Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and is capable of weighting that score against each environment's compliance policy to determine urgency and route alerts to the appropriate team or inbox within each customer organization.

Available

Patch

No upstream fix has been published for this CVE as of the advisory date. HarborGuard re-evaluates the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment CPANSec or the maintainer publishes a remediated version.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to send data over the network to any service or pipeline that passes attacker-influenced metric names or values through the affected library.
AuthenticationNot required
No authentication is required; the injection is possible through any code path that accepts external input and forwards it to Net::Statsite::Client without prior login.
Victim interactionNot required
No user interaction is needed; exploitation is fully automated once attacker-controlled input reaches the library.
Attack complexityDetail
Attack complexity is low; the exploit is reliable and requires no special conditions, race conditions, or environmental setup beyond supplying crafted input containing newlines or protocol control characters.

Blast Radius

An attacker can inject forged metric records into the statsite data stream, polluting dashboards and alerting pipelines with fabricated counters, timers, or gauges.
Injected metrics can overwrite or shadow legitimate metrics, masking real performance degradation or security-relevant events from operators.
Confidential metric names or sampling logic derived from internal service names may be partially disclosed through crafted injection payloads that echo data back through the metrics pipeline.
Persistent injection can degrade the integrity of historical metrics stored downstream, corrupting capacity planning, SLO tracking, or incident post-mortems.

How HarborGuard Handles This

Available on HarborGuard: images containing Net::Statsite::Client at any version through 1.1.0 are flagged as soon as the CVE is matched against a customer registry or build pipeline. Because no upstream patch exists yet, HarborGuard monitors the CPANSec advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a fixed version is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy rules can restrict which services are permitted to emit metrics, limiting the blast radius to internal trusted callers; egress filtering can prevent unauthorized statsite traffic from reaching downstream aggregators; and teams can gate the affected library path behind a feature flag or replace Net::Statsite::Client calls with a sanitizing wrapper that strips newlines and validates protocol characters before forwarding. For customers with auto-remediation enabled, a rebuilt image and a PR against affected workloads will be opened automatically once a fix version is published upstream.

See how HarborGuard automates this

Affected packages

JASEI / Net::Statsite::Client
≤ 1.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Metrics

Get notified