CVE-2026-45180 Overview
CVE-2026-45180 affects Catalyst::Plugin::Statsd versions through 0.10.0 for Perl. The plugin transmits metric data to a StatsD daemon and may include user session identifiers in those metrics. When the communication channel to the StatsD daemon is not secured, for example when UDP packets traverse another network, session identifiers are exposed in cleartext. An attacker who observes that traffic can capture the session identifiers and reuse them as authentication tokens. The issue is classified under CWE-319: Cleartext Transmission of Sensitive Information.
Critical Impact
Network-positioned attackers can capture leaked session IDs from unencrypted StatsD traffic and reuse them to impersonate authenticated users of Catalyst-based Perl web applications.
Affected Products
- Catalyst::Plugin::Statsd Perl module, versions through 0.10.0
- Related Perl observability components referenced in vendor advisories, including CatalystX::Statsd and Plack::Middleware::Statsd
- Catalyst web applications that emit session-scoped metrics to an external StatsD daemon
Discovery Timeline
- 2026-05-10 - CVE-2026-45180 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-45180
Vulnerability Analysis
The vulnerability stems from how Catalyst::Plugin::Statsd builds and emits metric names. Metrics generated by the plugin can incorporate session identifiers as part of their keys or tags. These metrics are then sent to a StatsD daemon, typically over UDP, which provides no transport-layer confidentiality. Any network device or host on the path between the application and the daemon can observe the payload.
Session identifiers in Catalyst applications act as bearer tokens. Once captured, an attacker can replay them in cookies or headers to access an authenticated user's session without credentials. This breaks the trust boundary that the session identifier is intended to protect. The advisory addresses the issue in release v0.10.0, where the plugin no longer emits session-scoped data through this channel. See the GitHub Security Advisory and the MetaCPAN release notes for technical details.
Root Cause
The plugin includes sensitive session state in metric identifiers and ships them over an unauthenticated, unencrypted channel. StatsD over UDP was designed for low-overhead telemetry, not for carrying secrets. The combination violates least-privilege handling of authentication material.
Attack Vector
An attacker must observe the network path between the Catalyst application and the StatsD daemon. This is feasible when the daemon resides on another subnet, in a different cloud VPC, or behind shared infrastructure. Captured session identifiers can then be replayed against the public application endpoint.
No verified public exploit code is available for this advisory. The vulnerability mechanism is described in the linked Plack::Middleware::Statsd advisory and the related CVE-2026-45179 record.
Detection Methods for CVE-2026-45180
Indicators of Compromise
- Outbound UDP traffic to StatsD destination ports (commonly 8125) crossing trust boundaries such as subnet, VLAN, or VPC edges.
- StatsD metric names or tags that contain long, opaque, high-entropy strings consistent with session identifier formats.
- Successful application logins from new IP addresses reusing existing session cookies without a preceding authentication event.
Detection Strategies
- Inspect StatsD payloads in lab environments to confirm whether session identifiers appear in metric keys emitted by Catalyst::Plugin::Statsd.
- Correlate web access logs with session-cookie reuse anomalies to surface replay attempts following metric exposure.
- Run a software bill of materials query across Perl deployments to locate hosts running Catalyst::Plugin::Statsd at versions earlier than 0.10.0.
Monitoring Recommendations
- Alert on unencrypted UDP egress from application servers to StatsD endpoints outside a defined allowlist of internal hosts.
- Monitor session-token lifetime and concurrent-use patterns to identify the same identifier used from multiple geographies.
- Capture and retain StatsD traffic samples for periodic review against data-classification policy.
How to Mitigate CVE-2026-45180
Immediate Actions Required
- Upgrade Catalyst::Plugin::Statsd to version v0.10.0 or later across all Catalyst deployments.
- Audit StatsD metric streams for embedded session identifiers and rotate any sessions that may have been exposed.
- Restrict StatsD daemons to loopback or to a dedicated management network reachable only from the application hosts.
Patch Information
The fix is shipped in Catalyst-Plugin-Statsd v0.10.0, available on CPAN. Review the MetaCPAN release changes and apply the upgrade through your standard Perl dependency manager such as cpanm or cpm. Coordinated changes for CatalystX::Statsd and Plack::Middleware::Statsd are described in their respective GitHub Security Advisory entries.
Workarounds
- Disable session-scoped metrics in the plugin configuration until the upgrade is deployed.
- Co-locate the StatsD daemon on the same host as the Catalyst application and bind it to 127.0.0.1 to keep metrics off the wire.
- Tunnel StatsD traffic through an encrypted transport such as a site-to-site VPN or stunnel when cross-host telemetry is required.
# Configuration example: restrict StatsD to loopback and upgrade the plugin
cpanm Catalyst::Plugin::Statsd@0.10.0
# /etc/statsd/config.js (excerpt)
# address: "127.0.0.1"
# port: 8125
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
