A critical metric injection vulnerability in the JASEI Net::Statsite::Client library allows attackers to manipulate protocol communications due to insufficient input sanitization.

The library fails to sanitize newlines, colons, or pipe characters within metric names and values. This allows an attacker to inject arbitrary data into the statsite protocol stream, potentially leading to data corruption or secondary attacks on downstream metric collectors.

Successful exploitation allows for the compromise of monitoring data integrity, which can be used to hide malicious activity or trigger false alerts. With a CVSS score of 9.1, this flaw poses a critical risk to the reliability and security of observability pipelines and the systems that rely on them for performance analysis.

Immediate Action: Update the Net::Statsite::Client library to the latest version provided by the maintainers.

Proactive Monitoring: Monitor metric ingestion logs for anomalous characters or unexpected formatting that deviates from established protocol standards.

Compensating Controls: Implement input validation at the application layer before passing data to the Net::Statsite::Client library to ensure no control characters are present.

Public Exploit Available: false

Given the critical severity score, organizations using this library in their Perl environments must prioritize updating to a version that enforces proper sanitization of metric inputs. Failure to patch may result in the corruption of critical monitoring infrastructure.