How is CVE-2026-53777 exploited?

Network reachability (required): The attacker must be reachable over the network as a server that the Perry client connects to via WebSocket. Authentication (not-required): No credentials are needed; the vulnerability is triggered by any server the client is pointed at, with no account or token required. Victim interaction (required): A user must direct the Perry client to connect to an attacker-controlled server URL, requiring some degree of social engineering or supply-chain manipulation. Attack complexity (info): Exploit reliability is high once the attacker controls the server endpoint; no race conditions or special memory layout conditions are required.

What is the impact of CVE-2026-53777?

Attacker writes arbitrary content to any file path writable by the perry process, enabling overwrite of configuration files, SSH keys, shell profiles, or build scripts. Attacker moves or copies sensitive local files (credentials, tokens, source code) into a directory the server can subsequently retrieve, exfiltrating them out of the build environment. Tampered build artifacts or injected scripts can propagate downstream into CI pipelines, container images, or deployed workloads built on the compromised host.

Back to search

HIGHCVE-2026-53777Published 2026-06-11Modified 2026-06-11CNA VulnCheck

CVE-2026-53777: Perry < 0.5.1159 Path Traversal via ArtifactReady WebSocket

Q: What is CVE-2026-53777?

A path traversal vulnerability in Perry (the PerryTS build client) before version 0.5.1159 allows a malicious build server to write arbitrary file content to any location the running process can reach. The attack is delivered over the network without any authentication, but requires a user to interact with a malicious server URL; exploitation is possible when an attacker controls the server endpoint the client connects to via WebSocket. Successful exploitation lets an attacker overwrite sensitive local files or move files into attacker-accessible locations, enabling tampered build outputs, credential theft, or privilege escalation depending on the host environment. A patched-image rebuild at version 0.5.1159 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-53777 fixed?

A patched-image rebuild at Perry 0.5.1159 becomes available through HarborGuard once the upstream fix is confirmed; for customers who opt into auto-remediation, HarborGuard runs the rebuild and regression tests and opens a PR against affected workloads automatically.

Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifact_name or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 0.5.1159
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability in Perry (the PerryTS build client) before version 0.5.1159 allows a malicious build server to write arbitrary file content to any location the running process can reach. The attack is delivered over the network without any authentication, but requires a user to interact with a malicious server URL; exploitation is possible when an attacker controls the server endpoint the client connects to via WebSocket. Successful exploitation lets an attacker overwrite sensitive local files or move files into attacker-accessible locations, enabling tampered build outputs, credential theft, or privilege escalation depending on the host environment. A patched-image rebuild at version 0.5.1159 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-53777 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream advisory feeds, covering both third-party base images and custom-built images that bundle the perry client.

Available

Triage

HarborGuard scores this CVE at CVSS 8.6 HIGH (v4.0) and is capable of weighting that score against each environment's compliance policy to route alerts to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild at Perry 0.5.1159 becomes available through HarborGuard once the upstream fix is confirmed; for customers who opt into auto-remediation, HarborGuard runs the rebuild and regression tests and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be reachable over the network as a server that the Perry client connects to via WebSocket.
AuthenticationNot required
No credentials are needed; the vulnerability is triggered by any server the client is pointed at, with no account or token required.
Victim interactionRequired
A user must direct the Perry client to connect to an attacker-controlled server URL, requiring some degree of social engineering or supply-chain manipulation.
Attack complexityDetail
Exploit reliability is high once the attacker controls the server endpoint; no race conditions or special memory layout conditions are required.

Blast Radius

Attacker writes arbitrary content to any file path writable by the perry process, enabling overwrite of configuration files, SSH keys, shell profiles, or build scripts.
Attacker moves or copies sensitive local files (credentials, tokens, source code) into a directory the server can subsequently retrieve, exfiltrating them out of the build environment.
Tampered build artifacts or injected scripts can propagate downstream into CI pipelines, container images, or deployed workloads built on the compromised host.

How HarborGuard Handles This

Available on HarborGuard: scanning capability for CVE-2026-53777 matches affected Perry versions across customer registries and pipeline images, including custom-built images that embed the perry client binary. Where a customer's compliance policy permits auto-remediation, HarborGuard can rebuild images at the fixed version (0.5.1159), run regression tests against the rebuilt image, and open a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 8.6 scoring and policy-weighted priority to the appropriate team. As a compensating control until a rebuild is applied, teams can restrict the server URLs the perry client is permitted to reach via network egress policy, and audit CI configuration to ensure no untrusted server endpoints are referenced in build job definitions.

See how HarborGuard automates this

Fix available

0.5.1159

Patch commits

github.com

Affected packages

PerryTS / perry
< 0.5.1159 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available