CVE-2026-53777: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in PerryTS perry
Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifact_name or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.
AI Analysis
Technical Summary
CVE-2026-53777 is a path traversal vulnerability in Perry before version 0.5.1159. The vulnerability arises because the application does not properly sanitize pathname inputs in the artifact_name and download_path fields of ArtifactReady WebSocket messages. An attacker controlling the build server URL can exploit this to write arbitrary files to any location writable by the Perry process or expose local files to an attacker-accessible location. This can lead to unauthorized file modification or disclosure.
Potential Impact
Successful exploitation allows an attacker to overwrite sensitive files or expose arbitrary local files, potentially compromising system integrity and confidentiality. The vulnerability has a high severity with a CVSS 4.0 score of 8.6, indicating significant risk if exploited.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid trusting build servers or inputs that control artifact_name or download_path fields. Monitor for updates from the PerryTS project regarding an official fix.
CVE-2026-53777: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in PerryTS perry
Description
Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifact_name or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.
CVSS v4.0
Score 8.6high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-53777 is a path traversal vulnerability in Perry before version 0.5.1159. The vulnerability arises because the application does not properly sanitize pathname inputs in the artifact_name and download_path fields of ArtifactReady WebSocket messages. An attacker controlling the build server URL can exploit this to write arbitrary files to any location writable by the Perry process or expose local files to an attacker-accessible location. This can lead to unauthorized file modification or disclosure.
Potential Impact
Successful exploitation allows an attacker to overwrite sensitive files or expose arbitrary local files, potentially compromising system integrity and confidentiality. The vulnerability has a high severity with a CVSS 4.0 score of 8.6, indicating significant risk if exploited.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid trusting build servers or inputs that control artifact_name or download_path fields. Monitor for updates from the PerryTS project regarding an official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-10T20:14:32.826Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2ad481815e7002b800a88c
Added to database: 6/11/2026, 3:30:09 PM
Last enriched: 6/11/2026, 3:45:11 PM
Last updated: 6/11/2026, 6:15:30 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.