IP Address Leakage in Plack::Middleware::Statsd by Perl
CVE-2026-45179

Currently unrated

Key Information:

Vendor

Rrwo

Status
Plack::middleware::statsd
Vendor
CVE Published:
10 May 2026

What is CVE-2026-45179?

Plack::Middleware::Statsd, prior to version 0.9.0, has a vulnerability where user IP addresses could be inadvertently exposed if the communication to the statsd daemon is not encrypted. This could occur, for instance, when UDP packets are sent to a statsd host that is located on a different network. In version 0.9.0 and later, IP addresses are no longer logged by default, ensuring enhanced data protection; however, if logging is explicitly configured, an HMAC signature of the IP address will replace the actual IP logging, thereby mitigating the risk.

Affected Version(s)

Plack::Middleware::Statsd 0 < 0.9.0

References

https://github.com/robrwo/Plack-Middleware-Statsd/securit...
vendor-advisory
https://metacpan.org/release/RRWO/Plack-Middleware-Statsd...
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.