CVE-2026-45179

Summary

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses.

If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked.

Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.

Affected Software

VendorProductVersion RangeStatus
RRWOPlack::Middleware::Statsd0 < 0.9.0affected

Weaknesses

  • CWE-319: CWE-319 Cleartext Transmission of Sensitive Information

Workarounds

Use a statsd daemon on the same host or through a secure communications channel.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References