CVE-2026-45179: CWE-319 Cleartext Transmission of Sensitive Information in RRWO Plack::Middleware::Statsd
Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.
AI Analysis
Technical Summary
Plack::Middleware::Statsd versions prior to 0.9.0 may leak user IP addresses due to cleartext transmission over unsecured channels to the statsd daemon. This occurs when UDP packets are sent to hosts on different networks without encryption or other protections. Starting with version 0.9.0, the middleware changes its behavior to avoid logging raw IP addresses by default, instead optionally logging an HMAC signature of the IP address if configured. The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information). No vendor advisory or patch information is currently available.
Potential Impact
The vulnerability can lead to the exposure of user IP addresses if the statsd communication channel is not secured, which may compromise user privacy. There is no indication of impact on integrity or availability. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should upgrade to Plack::Middleware::Statsd version 0.9.0 or later, where IP address logging is disabled by default or replaced with an HMAC signature when configured. Additionally, securing the communication channel to the statsd daemon (e.g., avoiding sending UDP packets over untrusted networks) can mitigate the risk of IP address leakage.
CVE-2026-45179: CWE-319 Cleartext Transmission of Sensitive Information in RRWO Plack::Middleware::Statsd
Description
Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.
CVSS v3.1
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Plack::Middleware::Statsd versions prior to 0.9.0 may leak user IP addresses due to cleartext transmission over unsecured channels to the statsd daemon. This occurs when UDP packets are sent to hosts on different networks without encryption or other protections. Starting with version 0.9.0, the middleware changes its behavior to avoid logging raw IP addresses by default, instead optionally logging an HMAC signature of the IP address if configured. The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information). No vendor advisory or patch information is currently available.
Potential Impact
The vulnerability can lead to the exposure of user IP addresses if the statsd communication channel is not secured, which may compromise user privacy. There is no indication of impact on integrity or availability. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should upgrade to Plack::Middleware::Statsd version 0.9.0 or later, where IP address logging is disabled by default or replaced with an HMAC signature when configured. Additionally, securing the communication channel to the statsd daemon (e.g., avoiding sending UDP packets over untrusted networks) can mitigate the risk of IP address leakage.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-09T18:57:17.867Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a00e1bdcbff5d8610bda80a
Added to database: 5/10/2026, 7:51:25 PM
Last enriched: 5/18/2026, 10:05:10 AM
Last updated: 6/18/2026, 5:21:52 AM
Views: 84
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.