CVE-2026-50638: CWE-93 Improper Neutralization of CRLF Sequences in PEVANS Metrics::Any::Adapter::DogStatsd
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
AI Analysis
Technical Summary
CVE-2026-50638 describes a vulnerability in Metrics::Any::Adapter::DogStatsd versions prior to 0.04 for Perl, where the software fails to properly neutralize CRLF sequences in metric tags. The statsd protocol allows multiple metrics separated by newlines in a single packet. Because the _tags function does not validate or sanitize tags for newlines or control characters, an attacker can inject additional metrics, potentially manipulating monitoring data. This vulnerability is related to CWE-93 (Improper Neutralization of CRLF Sequences) and is inherited from a similar issue in Metrics::Any::Adapter::Statsd. There is no CVSS score or known exploits in the wild, and no official remediation or patch has been published yet.
Potential Impact
The vulnerability allows an attacker to inject arbitrary metrics by exploiting the lack of input validation on tags, potentially corrupting monitoring data or causing inaccurate metric reporting. This could mislead monitoring systems or automated responses relying on these metrics. There is no indication of direct code execution or system compromise from the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid sending untrusted or user-controlled data in metric tags to prevent injection. Monitoring for unusual metric patterns may help detect exploitation attempts.
CVE-2026-50638: CWE-93 Improper Neutralization of CRLF Sequences in PEVANS Metrics::Any::Adapter::DogStatsd
Description
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-50638 describes a vulnerability in Metrics::Any::Adapter::DogStatsd versions prior to 0.04 for Perl, where the software fails to properly neutralize CRLF sequences in metric tags. The statsd protocol allows multiple metrics separated by newlines in a single packet. Because the _tags function does not validate or sanitize tags for newlines or control characters, an attacker can inject additional metrics, potentially manipulating monitoring data. This vulnerability is related to CWE-93 (Improper Neutralization of CRLF Sequences) and is inherited from a similar issue in Metrics::Any::Adapter::Statsd. There is no CVSS score or known exploits in the wild, and no official remediation or patch has been published yet.
Potential Impact
The vulnerability allows an attacker to inject arbitrary metrics by exploiting the lack of input validation on tags, potentially corrupting monitoring data or causing inaccurate metric reporting. This could mislead monitoring systems or automated responses relying on these metrics. There is no indication of direct code execution or system compromise from the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid sending untrusted or user-controlled data in metric tags to prevent injection. Monitoring for unusual metric patterns may help detect exploitation attempts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-06-05T12:07:20.886Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a29b7f71a4077f7804aaf42
Added to database: 6/10/2026, 7:16:07 PM
Last enriched: 6/10/2026, 7:30:55 PM
Last updated: 6/10/2026, 7:45:03 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.