CVE-2026-50638: Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections

CVE-2026-50638: Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections Robert Rothenberg 10 Jun 2026 18:35 UTC

========================================================================
CVE-2026-50638                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-50638
   Distribution:  Metrics-Any-Adapter-Statsd
       Versions:  before 0.04

       MetaCPAN: https://metacpan.org/dist/Metrics-Any-Adapter-Statsd

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not
protect against metric injections

Description
-----------
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not
protect against metric injections.

The statsd protocol (and extensions such as dogstatsd) allow mutiple
metrics,separated by newlines, to be sent per packet.

Metrics::Any::Adapter::DogStatsd which extends
Metrics::Any::Adapter::Statsd, which has a similar vulnerability.

In addition, the _tags function does not check tags for newlines or
statsd control characters. The tags can be used for metric injections.

Problem types
-------------
- CWE-93 Improper Neutralization of CRLF Sequences

Solutions
---------
Upgrade to v0.04 or later.

References
----------
https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes
https://www.cve.org/CVERecord?id=CVE-2026-50637
https://www.cve.org/CVERecord?id=CVE-2026-9270