External risk intelligence

DataDog DogStatsd Perl Metric Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-11362

A vulnerability in DataDog::DogStatsd for Perl, versions up to 0.07, allows metric injection through untrusted event tags, potentially corrupting monitoring data. The `format_event` method does not adequately sanitize tag content, enabling attackers to manipulate reported metrics. Its relevance depends on whether syste

2Halo Surface Signal

Binary Datadog\

0.07 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2026-11362

DogStatsd is a local agent or library typically used to collect metrics within a private application environment or internal network. It is not designed to be exposed directly to the public internet, and standard deployment patterns involve communication over internal network sockets or local IPC, making public-facing exposure uncommon.

PCI scan relevance

PCI Relevance for CVE-2026-11362

Yes

CVE-2026-11362 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in DataDog::DogStatsd allows for metric injection via event tags, posing a critical risk that would likely cause a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in DataDog::DogStatsd for Perl, specifically in versions up to 0.07, where untrusted input in event tags can lead to metric injection. This could allow an attacker to manipulate the metrics being reported, potentially impacting data integrity and system monitoring. The main concern is confirming relevance and exposure.

Malicious tags can inject false metrics.
Affects data integrity and monitoring systems.
Confirm relevance and exposure of affected systems.

Attack Path

How an attacker could exploit the issue

An attacker can inject malicious metrics into a DataDog agent by sending specially crafted event tags. This occurs because the `format_event` method within the `DataDog::DogStatsd` Perl module does not adequately validate the content of these tags, allowing for the injection of characters like commas, newlines, pipes, and colons, which can then be interpreted as commands to inject new metrics. This vulnerability can lead to significant data corruption and potentially allow attackers to manipulate the metrics reported by the agent.

No authentication required.
Inject metrics via event tags.
Data corruption and manipulation.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, unsanitized event tags in DataDog::DogStatsd could allow attackers to inject metrics, altering the data collected and potentially impacting service behavior. This occurs when untrusted input is processed without proper validation of tag content, which can include characters that enable injection.

Injected metrics could corrupt collected data.
Untrusted input in event tags.
Altered metric data and service behavior.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The ownership for this vulnerability likely falls to the application teams or developers responsible for integrating DataDog::DogStatsd within their Perl applications, as they control the input to the affected `format_event` method. The first practical step is to identify all instances of DataDog::DogStatsd, determine if they are processing untrusted input, and assess their business criticality to prioritize remediation efforts with the responsible application owners.

Application owners should address the issue.
Verify untrusted input processing first.
Plan remediation based on risk.

Frequently asked questions

What is DataDog::DogStatsd for Perl?

It is a software library used by Perl developers to send application metrics and events to a monitoring system. It acts as a bridge, allowing your code to report performance data or state changes to an agent, which then forwards that information for visualization and alerting.

How does CVE-2026-11362 enable metric injection?

This vulnerability stems from improper input sanitization, classified as CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-150 (Improper Neutralization of Escape Sequences). Because the library fails to validate event tags, an attacker can use characters like newlines, colons, or pipes to break out of the intended data format and inject unauthorized or false metrics into your monitoring stream.

When does this vulnerability trigger?

The issue is triggered whenever the library's format_event method processes input that contains untrusted data, such as user-provided strings placed into tags. It does not occur if your application strictly controls and filters all tag content before passing it to the library, or if the tags consist solely of hardcoded, trusted values that contain no special metacharacters.

Do I need to worry about internet exposure?

Halo Surface Signal indicates that this component is typically used within private application environments or internal networks. Because it is rarely designed to be directly reachable from the public internet, the risk is lower than for web-facing services, though you should still verify if your specific implementation processes data from untrusted network sources.

How should I respond to this vulnerability?

First, conduct an inventory to locate where this specific library version is used in your environment. Prioritize applications that accept and process external or untrusted user input. Once identified, coordinate with your development teams to determine if the input flows can be secured or if updates are required to sanitize the data before it reaches the library.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.