CVE-2026-45179 Overview
CVE-2026-45179 is an information disclosure vulnerability in Plack::Middleware::Statsd, a Perl middleware module that sends application metrics to a statsd daemon. Versions before 0.9.0 log user IP addresses to the statsd daemon in cleartext. When the communication channel between the Perl application and the statsd daemon is unsecured, such as UDP packets traversing untrusted networks, user IP addresses can be exposed to network observers. The flaw is classified as [CWE-319] Cleartext Transmission of Sensitive Information.
Critical Impact
Unauthenticated network-adjacent attackers can passively observe user IP addresses transmitted between Perl web applications and statsd collection daemons.
Affected Products
- Plack::Middleware::Statsd for Perl, all versions prior to 0.9.0
- Perl applications using Plack middleware with statsd telemetry integration
- Deployments routing statsd UDP traffic across untrusted network segments
Discovery Timeline
- 2026-05-10 - CVE-2026-45179 published to NVD
- 2026-05-10 - OpenWall oss-security advisory issued
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-45179
Vulnerability Analysis
The Plack::Middleware::Statsd module instruments Perl web applications by emitting request metrics to a statsd daemon. In versions before 0.9.0, the middleware includes the client IP address as part of the metric payload sent to the daemon. Statsd traffic is commonly transmitted over UDP without authentication or encryption. When the daemon resides on a separate host, the cleartext IP data traverses the network in plain view of any party able to observe the packets.
Attackers positioned on the path between the application server and the statsd daemon can capture user IP addresses without authentication or user interaction. The exposure is limited to confidentiality of IP data and does not grant access to credentials, session tokens, or application state.
Root Cause
The root cause is the implicit logging of personally identifiable network metadata to a telemetry channel that lacks transport security. The middleware passes the IP address as a tag or metric dimension without giving operators a documented mechanism to redact or hash the value. Statsd's UDP transport offers no encryption, so any cleartext value sent to it is subject to network-level disclosure.
Attack Vector
Exploitation requires network observation between the Plack application and the statsd collector. A passive attacker with access to a shared network segment, a compromised intermediate host, or a misconfigured cloud network can capture UDP packets containing the IP fields. No privileges, user interaction, or active interaction with the target application are required. The attack does not modify data or affect availability.
No public exploit code is required. Standard packet capture tooling such as tcpdump or tshark filtered on the statsd port is sufficient to observe the disclosed values.
Detection Methods for CVE-2026-45179
Indicators of Compromise
- Outbound UDP traffic to statsd daemons (default port 8125) originating from Perl/Plack application servers and crossing network boundaries.
- Statsd metric payloads containing IPv4 or IPv6 address strings in metric names, tags, or dimensions.
- Installed Perl module Plack::Middleware::Statsd at a version below 0.9.0 reported via cpan -l or package inventory.
Detection Strategies
- Inventory Perl dependencies across application servers and flag any Plack::Middleware::Statsd release earlier than 0.9.0.
- Inspect statsd packet captures in non-production environments for embedded IP address patterns to confirm exposure scope.
- Review application configuration for statsd endpoints that resolve to hosts outside the application's trust boundary.
Monitoring Recommendations
- Alert on cleartext UDP statsd flows that egress the local subnet or VPC where the application runs.
- Track Perl module version drift in CI/CD pipelines and block builds that pin vulnerable releases.
- Audit statsd collector ingest logs for metric keys containing address-like tokens to identify residual data exposure.
How to Mitigate CVE-2026-45179
Immediate Actions Required
- Upgrade Plack::Middleware::Statsd to version 0.9.0 or later on all Perl application servers.
- Confirm that the upgraded configuration does not explicitly opt back into IP address logging unless required.
- If IP logging is required, configure the middleware to emit an HMAC signature of the IP rather than the raw value.
- Restrict statsd traffic to loopback or a dedicated, isolated network segment.
Patch Information
The maintainer released Plack-Middleware-Statsd v0.9.0, which removes default IP address logging. When IP logging is explicitly enabled, the module now records an HMAC signature of the address rather than the cleartext value. Refer to the MetaCPAN Release Changes and the GitHub Security Advisory GHSA-9gwm-665p-w2xx for upgrade details. Additional context is available in the OpenWall oss-security notice.
Workarounds
- Co-locate the statsd daemon on the same host as the application and bind it to 127.0.0.1 to eliminate network exposure.
- Tunnel statsd UDP traffic through an encrypted overlay such as IPsec or WireGuard between the application and collector.
- Disable IP-related metric tags in the application's middleware configuration until the upgrade is deployed.
# Upgrade Plack::Middleware::Statsd to a fixed release
cpanm Plack::Middleware::Statsd@0.9.0
# Verify the installed version
perl -MPlack::Middleware::Statsd -E 'say $Plack::Middleware::Statsd::VERSION'
# Restrict statsd to loopback at the daemon (example: /etc/statsd/config.js)
# address: "127.0.0.1"
# port: 8125
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
