CVE-2026-11373: CWE-93 Improper Neutralization of CRLF Sequences in JASEI Net::Statsite::Client
Net::Statsite::Client versions up to 1.1.0 for Perl are vulnerable to metric injection due to improper neutralization of CRLF sequences. The vulnerability arises because newlines and other protocol control characters such as colons or pipes are not removed or sanitized from metric names and values. This allows an attacker to inject arbitrary metrics into the statsite protocol communication.
AI Analysis
Technical Summary
CVE-2026-11373 describes a vulnerability in JASEI's Net::Statsite::Client Perl module (versions <=1.1.0) where improper neutralization of CRLF sequences (CWE-93) and insufficient sanitization of protocol control characters (CWE-150) allow metric injection attacks. Specifically, newlines are not removed from metric names, and values are not sanitized for newlines or other control characters like colons or pipes. This flaw enables an attacker to inject crafted metrics into the statsite protocol, potentially manipulating monitoring data or causing unexpected behavior in systems relying on these metrics.
Potential Impact
The vulnerability allows injection of arbitrary metrics into the statsite protocol by exploiting unsanitized newlines and control characters in metric names and values. This can lead to manipulation or corruption of monitoring data. There is no indication of remote code execution or direct system compromise from the provided data. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is currently documented. Until a patch is available, users should consider sanitizing metric names and values themselves to remove newlines and control characters before sending data through Net::Statsite::Client.
CVE-2026-11373: CWE-93 Improper Neutralization of CRLF Sequences in JASEI Net::Statsite::Client
Description
Net::Statsite::Client versions up to 1.1.0 for Perl are vulnerable to metric injection due to improper neutralization of CRLF sequences. The vulnerability arises because newlines and other protocol control characters such as colons or pipes are not removed or sanitized from metric names and values. This allows an attacker to inject arbitrary metrics into the statsite protocol communication.
Affected software
pkg:github/Net-Statsite-ClientRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-11373 describes a vulnerability in JASEI's Net::Statsite::Client Perl module (versions <=1.1.0) where improper neutralization of CRLF sequences (CWE-93) and insufficient sanitization of protocol control characters (CWE-150) allow metric injection attacks. Specifically, newlines are not removed from metric names, and values are not sanitized for newlines or other control characters like colons or pipes. This flaw enables an attacker to inject crafted metrics into the statsite protocol, potentially manipulating monitoring data or causing unexpected behavior in systems relying on these metrics.
Potential Impact
The vulnerability allows injection of arbitrary metrics into the statsite protocol by exploiting unsanitized newlines and control characters in metric names and values. This can lead to manipulation or corruption of monitoring data. There is no indication of remote code execution or direct system compromise from the provided data. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is currently documented. Until a patch is available, users should consider sanitizing metric names and values themselves to remove newlines and control characters before sending data through Net::Statsite::Client.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-06-05T12:15:54.476Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a392271eed863c81ebdc5d3
Added to database: 06/22/2026, 11:54:25 UTC
Last enriched: 06/22/2026, 12:09:08 UTC
Last updated: 06/22/2026, 12:34:18 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.