cbcvebase.
CVE-2025-49132
published 2025-06-20

CVE-2025-49132: Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query…

PriorityP191critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
13.11%
95.9th percentile
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.

Affected

2 ranges
VendorProductVersion rangeFixed in
pterodactylpanel< 1.11.111.11.11
pterodactylpanel>= 0 < 1.11.111.11.11

Detection & IOCsextracted from sources · hover to see the quote

url/locales/locale.json?locale=..%2F..%2Fconfig&namespace=app
path/locales/locale.json
yara
words: '{"app":{"version":' AND '"key":"base64{{'
  • Detect exploitation attempts by monitoring GET requests to /locales/locale.json with path traversal sequences in the 'locale' query parameter (e.g., ..%2F..%2F or ../../) targeting the config file.
  • A successful exploitation response will contain both '{"app":{"version":' and '"key":"base64{{' in the HTTP response body, indicating the Panel's .env/config (including APP_KEY) has been leaked.
  • Use Shodan/FOFA queries to identify exposed Pterodactyl panels as potential targets: title:"Pterodactyl", favicon hashes -456405319 or 846001371, or Set-Cookie header containing 'pterodactyl_session='.
  • The vulnerability is unauthenticated — no session cookie or credentials are required. Any GET request to the vulnerable endpoint from an unauthenticated source should be treated as suspicious.
  • Extract the APP_KEY value from the JSON response body using the JSON path '.[] | .app.key' to confirm full config disclosure and assess blast radius.
  • ·There are no software workarounds; a WAF is the only interim mitigation. WAF rules should block path traversal sequences (..%2F, ../, %2F..) in the 'locale' query parameter of requests to /locales/locale.json.
  • ·Successful exploitation can expose the Panel's APP_KEY (base64-encoded), database credentials, and other sensitive .env config values — treat any leak of these as a full compromise indicator requiring credential rotation.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.