HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50637Published Modified CNA CPANSec

CVE-2026-50637: Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections

Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible. Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
0.04
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a metric injection vulnerability in the Perl module Metrics::Any::Adapter::Statsd, affecting all versions before 0.04. The module's send method does not validate metric names or values before writing them to the statsd UDP protocol, which uses newlines as a record separator and colons and pipes as field delimiters. An attacker who can influence metric names or values sent over the network, with no authentication required, can inject arbitrary statsd metrics, corrupting or forging monitoring data. A patched-image rebuild at version 0.04 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including CPANSec advisories, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Perl CPAN dependencies.

Available
Triage

HarborGuard scores this finding at CVSS 8.2 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N) and weights it against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer org.

Available
Patch

A patched-image rebuild at Metrics::Any::Adapter::Statsd 0.04 becomes available in HarborGuard the moment the fixed version is resolvable from the upstream CPAN feed. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the service over the network to supply crafted metric names or values that the vulnerable send method forwards to the statsd endpoint.

  • AuthenticationNot required

    No credentials or session are required; the vulnerability is reachable by any party that can influence the metric inputs before they are passed to the adapter.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and requires no action from any user or operator on the target system.

  • Attack complexityDetail

    The exploit is reliable and condition-free: the attacker only needs to supply a metric name or value containing a newline, colon, or pipe character, with no timing or environment constraints.

Blast Radius

  • Attacker injects forged statsd metric records into the monitoring pipeline, fabricating counter, gauge, or timer readings for arbitrary metric names.
  • Legitimate metric data is silently overwritten or diluted, causing dashboards and alerting thresholds to reflect false values.
  • Partial information disclosure occurs because the CVSS confidentiality impact is rated Low, meaning some metric namespace or naming-scheme details may be inferred from error responses or side effects.

How HarborGuard Handles This

Available on HarborGuard: image scanning capable of detecting Metrics::Any::Adapter::Statsd below version 0.04 is active for every connected registry and build pipeline, with findings surfaced within minutes of CVE publication. Where compliance policy permits, auto-remediation customers receive a rebuilt image pinned to version 0.04, a regression test run, and a pull request opened against affected workloads; for high-severity findings, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. For teams that need to defer the upgrade, compensating controls include restricting which application layers or upstream services can supply metric name strings, applying network policy to limit statsd UDP traffic to known internal collectors only, and auditing metric name construction in application code to reject or strip characters below ASCII 32 and the colon and pipe characters before they reach the adapter.

See how HarborGuard automates this

Fix available

0.04
Affected packages
  • PEVANS / Metrics::Any::Adapter::Statsd
    < 0.04 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
References