CVE-2026-50638 PEVANS CVE debrief

Who should care

Users of Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl should be concerned about this vulnerability as it can lead to metric injections, potentially causing issues with monitoring and logging.

Technical summary

The vulnerability exists in Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl. It is caused by the lack of protection against multiple metrics separated by newlines in a single packet. The statsd protocol and its extensions allow multiple metrics to be sent per packet, separated by newlines. Furthermore, the _tags function does not properly validate tags for newlines or statsd control characters, making it possible to inject metrics using tags.

Defensive priority

High

Recommended defensive actions

• Update Metrics::Any::Adapter::DogStatsd to version 0.04 or later.
• Validate and sanitize user input to prevent metric injections.
• Monitor for suspicious activity and implement additional security measures as necessary.

Evidence notes

The CVE record and details were obtained from the official CVE website and the National Vulnerability Database (NVD).

Official resources