HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-9270Published Modified CNA CPANSec

CVE-2026-9270: DataDog::DogStatsd versions through 0.07 for Perl allow metric injections

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Metric injection vulnerability in the Perl DataDog::DogStatsd library (versions through 0.07) allows a remote, unauthenticated attacker to send unsanitized input through the send_stats method. By embedding newlines, pipe characters, or colons in metric names, values, or tags, an attacker can forge or overwrite StatsD metric data. Successful exploitation gives the attacker the ability to corrupt telemetry records and read or tamper with metric streams, but does not directly crash the service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from CPANSec and upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the DataDog::DogStatsd Perl library. Any image containing a vulnerable version of the library is flagged regardless of where it was sourced.

Available
Triage

HarborGuard scores this finding at CVSS 9.1 (Critical) and weights it against each environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the CPANSec advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated release appears. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as the fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable library is exposed over the network; an attacker must be able to reach the service endpoint that passes untrusted input to send_stats.

  • AuthenticationNot required

    No credentials are needed; any unauthenticated request that reaches the affected input path is sufficient to inject metric data.

  • Victim interactionNot required

    No user action is required; the attacker interacts directly with the service without involving any human victim.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free; inserting newline or pipe characters into metric names, values, or tags requires no special timing, memory knowledge, or environmental setup.

Blast Radius

  • Attacker injects fabricated metric events, overwriting or forging telemetry records stored in the downstream metrics backend.
  • Attacker reads or infers the metric name prefix and tag structure, exposing internal naming conventions and application instrumentation details.
  • Attacker manipulates gauge, count, histogram, and set values reported to Datadog, corrupting dashboards, alerts, and SLO calculations that depend on that data.

How HarborGuard Handles This

Available on HarborGuard: because no patched version of DataDog::DogStatsd has been published, this CVE is monitored on every ingest cycle against the CPANSec advisory feed. Any image in a customer registry or CI pipeline that bundles the affected library version will surface as a Critical finding. While the upstream fix is pending, customers can apply compensating controls at the network layer by isolating services that invoke send_stats behind an internal network policy, filtering egress from those services to restrict which systems can submit metric input, and adding input-validation middleware to strip newlines, pipes, and colons before they reach the library. For customers who opt into auto-remediation, a rebuilt image, regression test run, and PR opened against affected workloads will be triggered automatically once a fix version is confirmed upstream, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues in environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • BINARY / DataDog::DogStatsd
    ≤ 0.07
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References