Description
Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifact_name or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.
Published: 2026-06-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker that can control the build server’s WebSocket connection to a Perry client can supply artifact_name or download_path values that include unsanitized path components, enabling the client to write arbitrary content to any writable location. This allows overwriting sensitive files or exposing local files, compromising confidentiality and integrity. The weakness is classified as CWE-22, Path Traversal.

Affected Systems

The vulnerability affects all Perry releases from the earliest version up to, but not including, 0.5.1159. The product is Perry from PerryTS; users running any pre‑0.5.1159 build are potentially impacted.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity issue. No EPSS data is available and the vulnerability is not present in the CISA KEV catalog, suggesting no known widespread exploitation so far. The likely attack vector requires the attacker to influence a client‑side WebSocket connection, which could occur in environments where build servers are widely accessible to developers or continuous integration systems. Even without a high EPSS score, the potential to overwrite critical files makes prompt remediations advisable.

Generated by OpenCVE AI on June 11, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Perry to version 0.5.1159 or later, which contains the patch for the path traversal flaw.
  • Restrict the client’s ArtifactReady WebSocket connections to a whitelist of trusted build server URLs or block untrusted traffic at the network perimeter or reverse proxy level.
  • Ensure the client validates artifact_name and download_path fields to reject path traversal characters or sequences before processing them, mitigating the risk if a pending update cannot be applied immediately.

Generated by OpenCVE AI on June 11, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Perryts
Perryts perry
Vendors & Products Perryts
Perryts perry

Thu, 11 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifact_name or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.
Title Perry < 0.5.1159 Path Traversal via ArtifactReady WebSocket
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-11T16:12:05.794Z

Reserved: 2026-06-10T20:14:32.826Z

Link: CVE-2026-53777

cve-icon Vulnrichment

Updated: 2026-06-11T16:11:18.849Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T16:16:24.873

Modified: 2026-06-11T21:00:53.163

Link: CVE-2026-53777

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:17:59Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')