11 Statsd client modules allow metric injection when assembling metric names, values, or tags from untrusted input. Ineffective mitigations in some modules increase risk. Additionally, improper use of the statsd set_add method in Plack and Catalyst plugins could leak sensitive information (e.g., session IDs, IP addresses) if connections to statsd servers are unsecured. The lack of an official Statsd specification contributed to overlooked security issues.