CVE-2026-46720 Overview
CVE-2026-46720 affects Net::Statsd::Tiny versions before 0.3.8 for Perl. The module failed to validate metric names and set values for newline, colon (:), and pipe (|) characters. Applications generating statsd metrics from untrusted input could allow attackers to inject arbitrary additional metrics into the statsd stream. The flaw maps to CWE-93: Improper Neutralization of CRLF Sequences.
Critical Impact
Attackers can inject arbitrary statsd metrics through untrusted inputs passed to Net::Statsd::Tiny, corrupting monitoring telemetry and potentially masking malicious activity.
Affected Products
- Net::Statsd::Tiny Perl module versions prior to 0.3.8
- Perl applications that pass untrusted input as statsd metric names or set values
- Monitoring pipelines consuming statsd output from vulnerable producers
Discovery Timeline
- 2026-05-17 - CVE-2026-46720 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-46720
Vulnerability Analysis
The statsd line protocol uses specific delimiter characters to separate metric components. A typical statsd packet follows the format metric.name:value|type, with newlines separating multiple metrics in a single payload. Net::Statsd::Tiny constructed these packets by concatenating caller-supplied names and values without rejecting or escaping the protocol's reserved characters.
When a Perl application forwards user-controlled data — such as request paths, usernames, or tag values — into a metric name or set value, an attacker can embed \n, :, or | characters. The resulting payload contains additional, attacker-defined statsd lines that the receiving daemon parses as legitimate metrics.
Root Cause
The module lacked input validation on metric names and set values before serialization. Characters below ASCII 32 (including \r and \n), the colon, and the pipe were treated as ordinary data. This is a classic CRLF-style injection adapted to the statsd protocol [CWE-93].
Attack Vector
The attack requires no authentication and is network-exploitable through any application surface that feeds untrusted strings into the vulnerable API. The attacker influences metric content but does not need direct access to the statsd daemon. Successful injection corrupts monitoring dashboards, triggers false alerts, suppresses real signals, or pollutes billing and capacity data derived from metrics.
[Security]
- Metrics names and values are now validated to ensure they do not contain characters below ASCII 32 (including newlines),
colon (":") or pipe ("|") characters that might allow metric injection. CVE-2026-46720
Source: GitHub Commit Patch
The patch adds explicit validation rejecting control characters, colons, and pipes in metric names and set values, closing the injection channel.
Detection Methods for CVE-2026-46720
Indicators of Compromise
- Statsd traffic containing unexpected metric names that mirror application input fields
- Sudden appearance of metrics with embedded \n, :, or | characters in source logs
- Spikes or anomalies in metric counts that do not correlate with traffic volume
- Perl dependency manifests pinning Net::Statsd::Tiny to versions below 0.3.8
Detection Strategies
- Inventory all Perl projects and CPAN dependencies for Net::Statsd::Tiny and flag versions earlier than 0.3.8
- Inspect statsd UDP/TCP captures for payloads where metric names contain reserved protocol characters
- Correlate metric anomalies with web request logs to identify untrusted inputs reaching the metrics layer
Monitoring Recommendations
- Enable alerting on the rate of new, previously unseen metric names emitted by each service
- Log and review any rejected metrics after upgrading, as rejections may indicate prior injection attempts
- Add software composition analysis (SCA) checks to CI pipelines to fail builds using vulnerable module versions
How to Mitigate CVE-2026-46720
Immediate Actions Required
- Upgrade Net::Statsd::Tiny to version 0.3.8 or later across all Perl applications
- Audit application code paths that pass user input into metric names or set values
- Review historical statsd data for evidence of injected metrics and remove polluted series
Patch Information
The fix is committed in Net-Statsd-Tiny commit 06f814f5 and released in version 0.3.8. See the MetaCPAN Release Changes for full details. A related issue is tracked under CVE-2026-46719.
Workarounds
- Sanitize all user-controlled strings before passing them to metric APIs by stripping characters below ASCII 32, :, and |
- Restrict metric name generation to a server-controlled allowlist of identifiers
- Place a filtering proxy between application hosts and the statsd daemon to drop malformed lines
# Upgrade Net::Statsd::Tiny via cpanm
cpanm Net::Statsd::Tiny@0.3.8
# Or pin in cpanfile
echo 'requires "Net::Statsd::Tiny" => "0.3.8";' >> cpanfile
cpanm --installdeps .
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
