CVE-2026-46719: Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections

CVE-2026-46719: Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections Robert Rothenberg 16 May 2026 13:38 UTC

========================================================================
CVE-2026-46719                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-46719
   Distribution:  Net-Statsd-Lite
       Versions:  before 0.9.0

       MetaCPAN:  https://metacpan.org/dist/Net-Statsd-Lite
       VCS Repo:  https://github.com/robrwo/Net-Statsd-Lite

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric
injections

Description
-----------
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric
injections.

The metric names were not checked for newlines, colons or pipes.
Metrics generated from untrusted sources could inject additional statsd
metrics.

Problem types
-------------
- CWE-93 Improper Neutralization of CRLF Sequences

Workarounds
-----------
Apply the patch.

Alternatively, validate that all metrics sent to the client based on
untrusted data do not contain metric injections.

Solutions
---------
Upgrade to Net::Statsd::Lite version 0.9.0 or later.

References
----------
https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes
https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch

Timeline
--------
- 2026-05-14: Issue reported to CPANSec
- 2026-05-15: Author notified
- 2026-05-16: Fix released