Impact
The Perry web framework implements JWT verification by using a helper that unconditionally sets validate_exp to false, effectively disabling the standard expiration check (CWE‑613). Attackers possessing a previously issued bearer token can present that expired token to any jwt.verify() call, and the framework will accept it as valid, giving the attacker continuous authenticated access even after logout or administrative revocation. This remote authentication bypass allows malicious persistence within the system, essentially granting unauthorized access over time.
Affected Systems
The vulnerability affects all releases of Perry prior to version 0.5.1166. Any installation of Perry older than that revision is vulnerable because the verify_decode function incorrectly permits expired tokens. The flaw is present across all environments where Perry is deployed, as it stems from the core JWT handling logic.
Risk and Exploitability
The CVSS score of 9.3 indicates a high severity with remote access and authentication impact, while the EPSS score of less than 1% suggests limited proof of exploitation in the wild. Because the vendor has not listed the flaw in the CISA KEV catalog, operators may be unaware of its presence. Attackers only need possession of a valid bearer token to exploit the flaw, making the attack surface broad and the exploitation path straightforward. The resulting authentication bypass enables attackers to continue using stale tokens, effectively undermining session revocation mechanisms.
OpenCVE Enrichment