/ 
Catalyst-Plugin-Statsd-v0.10.0
⭐ Starred 1
Security Advisories (1)
CVE-2026-45180 (2026-05-10)

Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens.

Changes for version v0.10.0 - 2026-05-09

  • Security
    • The catalyst.sessionid metric is no longer logged unless Plack::Middleware::Statsd v0.9.0 or later is used with the secure_set_key. This is to avoid leaking session ids which might be usable as authentication tokens, CVE-2026-45180.
  • Documentation
    • Added a SECURITY CONSIDERATIONS section which documents how to use the secure set logging feature.
    • Added a security policy.
    • Updated copyright year.
    • Updated author email due to issues with cpan.org email forwarding.
    • Generate README with the UsefulReadme plugin.
    • Remove the INSTALL file (since instructions are now in the README).
    • Fixed typos.
  • Toolchain
    • Remove use of Dist::Zilla::ManifestSkip plugin.
    • Stopped signing distributions, since Module::Signature is deprecated.
    • Added doap.xml to the distribution.
  • Tests
    • Added more author tests.

Documentation

README.md
SECURITY.md

Modules

Catalyst::Plugin::Statsd
Log Catalyst stats to statsd

Other files