CVE-2026-46719 Metacpan CVE debrief

Who should care

Teams running Perl applications that generate statsd metrics from user-controlled, tenant-controlled, or otherwise untrusted data should care most. Operators who rely on Net::Statsd::Lite for application telemetry, billing, quota, or alerting signals should also review their usage.

Technical summary

According to the supplied description, Net::Statsd::Lite versions before 0.9.0 did not validate metric names for characters that can alter statsd payload structure. Because statsd metrics are line-oriented, allowing newlines, colons, or pipes in metric names can let attacker-controlled data create extra or malformed metrics. NVD maps the weakness to CWE-93. The referenced v0.9.0 changelog and upstream patch indicate the fix shipped in version 0.9.0.

Defensive priority

Moderate to high if the module processes any untrusted or semi-trusted input in metric names; otherwise lower. Prioritize remediation where telemetry is exposed to user-supplied strings, multi-tenant identifiers, or external event data.

Recommended defensive actions

• Upgrade Net::Statsd::Lite to version 0.9.0 or later.
• Audit all code paths that build metric names from untrusted or partially trusted input.
• Add local allowlisting or sanitization for metric-name fields before they reach statsd formatting.
• Review dashboards, alerting rules, and billing logic that depend on statsd metrics for unexpected metric inflation or name collisions.
• Use the upstream patch and v0.9.0 changelog as change references when validating the fix in your environment.

Evidence notes

The source corpus states that metric names were not checked for newlines, colons, or pipes, and that metrics generated from untrusted sources could inject additional statsd metrics. The supplied references point to an upstream patch and the Net::Statsd::Lite v0.9.0 changelog, which support the versioned fix. NVD lists CWE-93 as the associated weakness. No CVSS score was provided in the supplied data.

Official resources