Mojolicious::Plugin::Statsd Metric Injection Vulnerability

A vulnerability in Mojolicious::Plugin::Statsd, affecting versions through 0.04, allowed for metric injections. The plugin did not properly validate metric names and values, leaving room for the introduction of additional StatsD metrics from untrusted sources. This issue was addressed in version 0.06, which transitioned the plugin to use a separate StatsD client, Net::Statsd::Tiny, that mitigates similar injection risks. However, users must manually specify this client if they are using version 0.06 or later.

Impact

Exploitation of this vulnerability could lead to unauthorized metric injections, allowing for the manipulation of statistics reported to a StatsD server.

Reproduction

To reproduce this vulnerability, use Mojolicious::Plugin::Statsd version 0.04 or earlier. Send metrics with names or values that include unvalidated characters such as newlines, colons, or pipes. The plugin will accept these injections, creating additional, unintended StatsD metrics.

Remediation

Users can upgrade to Mojolicious::Plugin::Statsd version 0.06 or later, which includes the necessary fix. Instructions for downloading this version are available on MetaCPAN.