Net::Statsd versions prior to 0.13 for Perl contain a CWE-93 vulnerability where metric names are not sanitized for CRLF sequences or special characters such as colons and pipes. This lack of validation allows an attacker controlling metric input to inject arbitrary additional metrics. Furthermore, the update_stats and gauge methods fail to enforce numeric-only values, which could be exploited to inject malicious metrics. No patch or official remediation has been documented at this time.

An attacker able to supply metric names or values can inject additional statsd metrics, potentially corrupting monitoring data or causing misleading statistics. This could affect the integrity of monitoring systems relying on Net::Statsd, but there is no evidence of exploitation in the wild or direct impact beyond metric injection.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid accepting metrics from untrusted sources or implement input validation to block newlines, colons, pipes, and non-numeric values in metrics and their values.