ByteOS Network

CVE Vulnerability Details :

CVE-2026-45180

PUBLISHED

More Info Official Page

Assigner-CPANSec

Assigner Org ID-9b29abf9-4ab0-4765-b253-1875cd9b441e

Published At-10 May, 2026 | 20:03

Updated At-10 May, 2026 | 20:03

▼CVE Numbering Authority (CNA)

Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids

Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens.

Affected Products

Vendor

RRWO

Product

Catalyst::Plugin::Statsd

Collection URL

https://cpan.org/modules

Package Name

Catalyst-Plugin-Statsd

Repo

https://github.com/robrwo/CatalystX-Statsd

Default Status

unaffected

Versions

Affected

From 0 through 0.10.0 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-319	CWE-319 Cleartext Transmission of Sensitive Information

Type: CWE

CWE ID: CWE-319

Description: CWE-319 Cleartext Transmission of Sensitive Information

Impacts

CAPEC ID	Description
CAPEC-102	CAPEC-102 Session Sidejacking

CAPEC ID: CAPEC-102

Description: CAPEC-102 Session Sidejacking

Solutions

Upgrade to version 0.10.0 of later, which will no longer log session ids to statsd. If Plack::Middleware::Statsd is upgraded to 0.9.0 or later and is configured to log some information securely, then session ids will be logged as HMAC signatures instead.

Workarounds

Use a statsd daemon on the same host or through a secure communications channel.

References

Hyperlink	Resource
https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc38	vendor-advisory
https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes	release-notes
https://www.cve.org/CVERecord?id=CVE-2026-45179	related
https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx	related