CVE-2026-50637: CWE-93 Improper Neutralization of CRLF Sequences in PEVANS Metrics::Any::Adapter::Statsd
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible. Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
AI Analysis
Technical Summary
The Metrics::Any::Adapter::Statsd Perl module prior to version 0.04 is vulnerable to improper neutralization of CRLF sequences (CWE-93). The statsd protocol allows multiple metrics separated by newlines in a single packet. The module's send method fails to validate metric names or values, enabling attackers to inject additional metrics by including newline and control characters such as colon and pipe in metric names. This vulnerability was addressed in version 0.04 by modifying the _make method to reject metric names containing ASCII characters below 32, colons, or pipes.
Potential Impact
An attacker can craft metric names containing newline and control characters to inject arbitrary additional metrics into statsd packets. This could lead to inaccurate or misleading metric data being recorded or processed by monitoring systems relying on this module. No direct code execution or system compromise is indicated by the available information.
Mitigation Recommendations
Upgrade to Metrics::Any::Adapter::Statsd version 0.04 or later, which includes validation to block metric names with ASCII control characters, colons, or pipes. Patch status is not explicitly confirmed beyond this version, so users should verify the vendor advisory for any further updates.
CVE-2026-50637: CWE-93 Improper Neutralization of CRLF Sequences in PEVANS Metrics::Any::Adapter::Statsd
Description
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible. Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Metrics::Any::Adapter::Statsd Perl module prior to version 0.04 is vulnerable to improper neutralization of CRLF sequences (CWE-93). The statsd protocol allows multiple metrics separated by newlines in a single packet. The module's send method fails to validate metric names or values, enabling attackers to inject additional metrics by including newline and control characters such as colon and pipe in metric names. This vulnerability was addressed in version 0.04 by modifying the _make method to reject metric names containing ASCII characters below 32, colons, or pipes.
Potential Impact
An attacker can craft metric names containing newline and control characters to inject arbitrary additional metrics into statsd packets. This could lead to inaccurate or misleading metric data being recorded or processed by monitoring systems relying on this module. No direct code execution or system compromise is indicated by the available information.
Mitigation Recommendations
Upgrade to Metrics::Any::Adapter::Statsd version 0.04 or later, which includes validation to block metric names with ASCII control characters, colons, or pipes. Patch status is not explicitly confirmed beyond this version, so users should verify the vendor advisory for any further updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-06-05T12:07:20.886Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a29b7f71a4077f7804aaf3c
Added to database: 6/10/2026, 7:16:07 PM
Last enriched: 6/10/2026, 7:30:59 PM
Last updated: 6/10/2026, 7:44:33 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.