CVE-2026-45179 PUBLISHED

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses

Assigner: CPANSec
Reserved: 09.05.2026 Published: 10.05.2026 Updated: 10.05.2026

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses.

If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked.

Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.

Product Status

Vendor	RRWO
Product	Plack::Middleware::Statsd
Versions	Default: unaffected affected from 0 to 0.9.0 (excl.)

Workarounds

Use a statsd daemon on the same host or through a secure communications channel.

Solutions

Upgrade to version 0.9.0 or later.

References

https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx
https://metacpan.org/release/RRWO/Plack-Middleware-Statsd-v0.9.0/changes

Problem Types

CWE-319 Cleartext Transmission of Sensitive Information CWE