CVE-2026-45179

MEDIUM

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses

Title source: cna

Description

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/10/4

Vendor Advisory vendor-advisory

https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx

Release Notes release-notes

https://metacpan.org/release/RRWO/Plack-Middleware-Statsd-v0.9.0/changes

Scores

CVSS v3 5.3

EPSS 0.0001

EPSS Percentile 0.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-319

Status published

Products (1)

RRWO/Plack::Middleware::Statsd < 0.9.0

Published May 10, 2026

Tracked Since May 11, 2026