Impact
An attacker that can control the build server’s WebSocket connection to a Perry client can supply artifact_name or download_path values that include unsanitized path components, enabling the client to write arbitrary content to any writable location. This allows overwriting sensitive files or exposing local files, compromising confidentiality and integrity. The weakness is classified as CWE-22, Path Traversal.
Affected Systems
The vulnerability affects all Perry releases from the earliest version up to, but not including, 0.5.1159. The product is Perry from PerryTS; users running any pre‑0.5.1159 build are potentially impacted.
Risk and Exploitability
The CVSS score of 8.6 indicates a high severity issue. No EPSS data is available and the vulnerability is not present in the CISA KEV catalog, suggesting no known widespread exploitation so far. The likely attack vector requires the attacker to influence a client‑side WebSocket connection, which could occur in environments where build servers are widely accessible to developers or continuous integration systems. Even without a high EPSS score, the potential to overwrite critical files makes prompt remediations advisable.
OpenCVE Enrichment