VYPR
← All advisories
Critical severity9.1NVD Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

CVE-2026-53776

CVE-2026-53776

Description

Perry before 0.5.1166 unconditionally disables JWT expiration validation, allowing indefinite reuse of expired tokens.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Perry before 0.5.1166 unconditionally disables JWT expiration validation, allowing indefinite reuse of expired tokens.

Vulnerability

The JWT validation module in Perry before version 0.5.1166 contains a critical flaw in the verify_decode helper function (crates/perry-stdlib/src/jsonwebtoken.rs:355-358). The helper unconditionally sets validation.validate_exp = false, instructing the underlying jsonwebtoken Rust crate to ignore the exp claim entirely [1][3]. This means any call to jwt.verify() in a Perry application accepts tokens with any expiration value, including tokens whose expiry is years in the past. All JWT verification paths share this single helper, and there is no opt-in or opt-out mechanism to enforce expiration [1].

Exploitation

An attacker needs only a previously issued bearer token (e.g., one captured during normal user authentication or leaked from a session). Without needing any additional credentials or access, the attacker can present the expired token to any Perry endpoint that relies on jwt.verify(). The token is accepted as valid as long as its cryptographic signature is correct [1][3]. No user interaction or race condition is required; the attack is straightforward by sending the expired token in an HTTP Authorization header or similar.

Impact

Successful exploitation allows the attacker to retain authenticated access indefinitely, bypassing all session expiration mechanisms, including user logout, forced session revocation, and administrative revocations [1][3]. This effectively breaks the authentication control provided by JWT expiry, potentially leading to full compromise of the affected application and its data. The confidentiality, integrity, and availability of the application are at high risk, as the attacker can perform any action permitted by the compromised account's privileges.

Mitigation

The vulnerability is fixed in Perry version 0.5.1166 [2]. Users should immediately upgrade to this version or later. There is no known workaround for affected versions; the fix corrects the unconditional validate_exp = false setting to allow expiration validation by default, aligning with the Node.js jsonwebtoken package behavior [1]. Users should verify they are running at least v0.5.1166 to ensure session expiration is properly enforced.

References
  1. stdlib Fails to Enforce JWT Token Expiration in verify_decode
  2. Release v0.5.1166 · PerryTS/perry
  3. Perry < 0.5.1166 JWT Expiration Bypass via verify_decode

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Perryts/Perryreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <0.5.1166

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The verify_decode helper unconditionally sets validate_exp = false, disabling JWT expiration enforcement for all callers."

Attack vector

An attacker who obtains a previously issued bearer token (e.g., via network interception, log leakage, or a compromised client) can present that token to any `jwt.verify()` call in a Perry application, even after the token's `exp` claim has passed. Because the stdlib helper unconditionally disables expiry validation [ref_id=1], the token is accepted as valid indefinitely as long as the cryptographic signature is correct. This allows the attacker to retain authenticated access with no time-bounded limit, bypassing session expiry, user logout, and administrative revocation.

Affected code

The vulnerability is in `crates/perry-stdlib/src/jsonwebtoken.rs` lines 355–358, where the `verify_decode` helper unconditionally sets `validation.validate_exp = false`, disabling JWT expiration enforcement for all callers of `jwt.verify()` in Perry's stdlib [ref_id=1].

What the fix does

The advisory does not provide a patch diff, but the remediation is to remove or make configurable the line `validation.validate_exp = false` in the `verify_decode` helper so that JWT expiration is enforced by default, matching the behavior of the Node.js `jsonwebtoken` package Perry aims to be API-compatible with [ref_id=1]. Without this change, all callers of `jwt.verify()` silently accept expired tokens.

Preconditions

  • inputAttacker must possess a previously issued bearer token (e.g., via network interception, log leakage, or compromised client).
  • configThe target Perry application must use jwt.verify() for authentication and must not maintain an independent server-side token denylist.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.