Metric injection in Metrics::Any::Adapter::DogStatsd (Perl) before 0.04 (CVE-2026-50638)

critical-cve-against-dependency · active

The Perl module Metrics::Any::Adapter::DogStatsd before version 0.04 does not protect against metric injection. Because the statsd/dogstatsd protocol uses newlines to separate metrics in a packet, unsanitized metric names and tags (the _tags function does not check for newlines or statsd control characters) can be abused to inject additional, attacker-controlled metrics.

Affected packages

• nugetMetrics::Any::Adapter::DogStatsdupgrade to ≥ 0.04

Sources

• ghsahttps://github.com/advisories/GHSA-m93c-ch8c-q8cj
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-50638
• nvdhttps://www.cve.org/CVERecord?id=CVE-2026-50637
• nvdhttps://www.cve.org/CVERecord?id=CVE-2026-9270
• ghsahttps://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes