Perry
Monthly
Authentication bypass in Perry versions before 0.5.1166 allows remote attackers holding any previously issued bearer token to maintain authenticated access indefinitely, including after logout or administrative revocation. The flaw stems from hardcoded validate_exp=false logic in the stdlib JWT verification path, neutralizing token expiration entirely. No public exploit identified at time of analysis, but the trivial nature of replaying captured tokens against jwt.verify() calls makes this a high-priority fix.
Path traversal in Perry (PerryTS) CLI versions before 0.5.1159 allows a malicious or compromised build server to write arbitrary files anywhere the Perry process can write, or exfiltrate arbitrary local files, by sending crafted artifact_name or download_path values in ArtifactReady WebSocket messages. No public exploit identified at time of analysis, but the upstream commit and tests confirm the issue and a patched release is available.
Authentication bypass in Perry versions before 0.5.1166 allows remote attackers holding any previously issued bearer token to maintain authenticated access indefinitely, including after logout or administrative revocation. The flaw stems from hardcoded validate_exp=false logic in the stdlib JWT verification path, neutralizing token expiration entirely. No public exploit identified at time of analysis, but the trivial nature of replaying captured tokens against jwt.verify() calls makes this a high-priority fix.
Path traversal in Perry (PerryTS) CLI versions before 0.5.1159 allows a malicious or compromised build server to write arbitrary files anywhere the Perry process can write, or exfiltrate arbitrary local files, by sending crafted artifact_name or download_path values in ArtifactReady WebSocket messages. No public exploit identified at time of analysis, but the upstream commit and tests confirm the issue and a patched release is available.