Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable JWT endpoint, no privileges or interaction needed once a prior token is held; full confidentiality and integrity impact via account takeover, no availability effect.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.
AnalysisAI
Authentication bypass in Perry versions before 0.5.1166 allows remote attackers holding any previously issued bearer token to maintain authenticated access indefinitely, including after logout or administrative revocation. The flaw stems from hardcoded validate_exp=false logic in the stdlib JWT verification path, neutralizing token expiration entirely. No public exploit identified at time of analysis, but the trivial nature of replaying captured tokens against jwt.verify() calls makes this a high-priority fix.
Technical ContextAI
Perry (cpe:2.3:a:perryts:perry) is a TypeScript-based application platform that wraps JWT-based session handling through a stdlib verify_decode helper. The root cause is CWE-613 (Insufficient Session Expiration): the helper unconditionally sets the jsonwebtoken validate_exp option to false, meaning the 'exp' claim inside the JWT payload is never compared against the current time. As a result, every downstream jwt.verify() call in the application - regardless of caller intent - accepts arbitrarily aged tokens as valid, breaking the contract that short-lived bearer tokens provide a bound on session lifetime.
RemediationAI
Vendor-released patch: Perry 0.5.1166 - upgrade immediately per the GitHub Security Advisory GHSA-5324-c68v-8w62 (https://github.com/PerryTS/perry/security/advisories/GHSA-5324-c68v-8w62) and release notes (https://github.com/PerryTS/perry/releases/v0.5.1166). Because the vulnerability invalidates session revocation, operators should also rotate the JWT signing secret/key after upgrading so that any tokens issued during the vulnerable window are cryptographically invalidated; note that this will force all users to re-authenticate. If immediate upgrade is impossible, a compensating control is to wrap or monkey-patch verify_decode (or the stdlib JWT path it calls) to explicitly re-check the exp claim against current time before trusting the decoded payload, and to shorten gateway-level session TTLs at a reverse proxy - be aware this only mitigates app-layer reuse and does not fix any downstream consumer that calls jwt.verify() directly.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37126