Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-8722

CVE-2026-8722: Perl Net::Async::Statsd Metric Injection

CVE-2026-8722 is a metric injection flaw in Net::Async::Statsd::Client for Perl allowing attackers to inject additional statsd metrics through unvalidated input. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-8722 Overview

CVE-2026-8722 affects Net::Async::Statsd::Client versions through 0.005 for Perl. The library fails to validate metric names for newline, colon, and pipe characters. When applications pass untrusted input as metric names, attackers can inject arbitrary statsd metrics into the outbound stream. This issue is classified under [CWE-93] Improper Neutralization of CRLF Sequences.

Critical Impact

Attackers controlling metric name inputs can forge or pollute statsd metrics, corrupting monitoring data and dashboards used for operational decisions.

Affected Products

  • Net::Async::Statsd::Client for Perl, versions through 0.005
  • Applications consuming this library with untrusted metric name sources
  • Monitoring pipelines ingesting statsd traffic generated by the affected client

Discovery Timeline

  • 2026-06-04 - CVE-2026-8722 published to NVD
  • 2026-06-04 - Last updated in NVD database

Technical Details for CVE-2026-8722

Vulnerability Analysis

The statsd line protocol uses delimiters to separate metric components. A metric line follows the pattern name:value|type, with newlines separating multiple metrics in a single packet. Net::Async::Statsd::Client constructs these lines by concatenating caller-supplied metric names directly into the protocol string. The client does not reject or escape the three delimiter characters: newline (\n), colon (:), and pipe (|).

When a metric name originates from an untrusted source, an attacker can embed delimiters to terminate the legitimate metric and append additional metrics. Downstream statsd servers parse the injected entries as authentic measurements. This corrupts counters, gauges, and timers, which can mislead alerting systems and capacity planning.

Root Cause

The root cause is missing input neutralization in the metric name handling path. The library trusts caller-supplied strings and writes them to the wire without sanitization. [CWE-93] applies because newline injection enables protocol-level forgery.

Attack Vector

Exploitation requires an application to forward untrusted data into a metric name argument. Common patterns include using HTTP request paths, usernames, or query parameters as metric labels. The attacker submits a value containing \n, :, or | followed by a forged metric specification. The statsd packet then contains both the original metric and the attacker-controlled one. No authentication to statsd is required because the affected client emits the traffic on behalf of the application.

No verified exploit code is published for this CVE. Refer to the CVE-2026-46719 Record and CVE-2026-46720 Record for related disclosures.

Detection Methods for CVE-2026-8722

Indicators of Compromise

  • Statsd packets containing unexpected metric names that match user-controllable fields such as URL paths or usernames.
  • Sudden appearance of metrics whose names include encoded or literal newline, colon, or pipe characters.
  • Metric volume spikes from a single application source without a corresponding change in traffic.

Detection Strategies

  • Inspect statsd UDP traffic for metric lines whose name segment contains control characters or multiple : separators.
  • Audit application source code for calls into Net::Async::Statsd::Client that pass request-derived data as metric names.
  • Compare emitted metric inventories against an allowlist of metric names defined by the application.

Monitoring Recommendations

  • Enable verbose logging on the statsd receiver and alert on previously unseen metric names.
  • Forward statsd ingress logs to a central analytics platform and baseline expected metric cardinality.
  • Track changes in metric name diversity over time to identify injection-driven cardinality explosions.

How to Mitigate CVE-2026-8722

Immediate Actions Required

  • Identify all Perl applications that depend on Net::Async::Statsd::Client at version 0.005 or earlier.
  • Sanitize metric names at the application layer by rejecting or stripping \n, :, and | characters before invoking the client.
  • Treat any metric name derived from external input as untrusted and map it to a fixed allowlist of label values.

Patch Information

No fixed version is recorded in the NVD entry at the time of publication. Monitor the upstream CPAN distribution and the CVE-2026-46719 Record and CVE-2026-46720 Record for updates. Apply vendor patches once released.

Workarounds

  • Wrap calls to the client with a validation function that enforces a regex such as ^[A-Za-z0-9_.-]+$ on metric names.
  • Move user-derived data from metric names into tag values handled by a tag-aware transport that escapes delimiters.
  • Restrict statsd traffic to trusted internal networks to limit the blast radius of forged metrics.
bash
# Configuration example: validate metric names before emitting
# Pseudocode wrapper around Net::Async::Statsd::Client
sub safe_metric {
    my ($name) = @_;
    return unless $name =~ /^[A-Za-z0-9_.-]+$/;
    $statsd->increment($name);
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne