CVE-2025-49132
published 2025-06-20CVE-2025-49132: Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query…
PriorityP191critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
13.11%
95.9th percentile
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pterodactyl | panel | < 1.11.11 | 1.11.11 |
| pterodactyl | panel | >= 0 < 1.11.11 | 1.11.11 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
words: '{"app":{"version":' AND '"key":"base64{{'- →Detect exploitation attempts by monitoring GET requests to /locales/locale.json with path traversal sequences in the 'locale' query parameter (e.g., ..%2F..%2F or ../../) targeting the config file. ↗
- →A successful exploitation response will contain both '{"app":{"version":' and '"key":"base64{{' in the HTTP response body, indicating the Panel's .env/config (including APP_KEY) has been leaked. ↗
- →Use Shodan/FOFA queries to identify exposed Pterodactyl panels as potential targets: title:"Pterodactyl", favicon hashes -456405319 or 846001371, or Set-Cookie header containing 'pterodactyl_session='. ↗
- →The vulnerability is unauthenticated — no session cookie or credentials are required. Any GET request to the vulnerable endpoint from an unauthenticated source should be treated as suspicious. ↗
- →Extract the APP_KEY value from the JSON response body using the JSON path '.[] | .app.key' to confirm full config disclosure and assess blast radius. ↗
- ·There are no software workarounds; a WAF is the only interim mitigation. WAF rules should block path traversal sequences (..%2F, ../, %2F..) in the 'locale' query parameter of requests to /locales/locale.json. ↗
- ·Successful exploitation can expose the Panel's APP_KEY (base64-encoded), database credentials, and other sensitive .env config values — treat any leak of these as a full compromise indicator requiring credential rotation. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
ghsa·2025-06-19
CVE-2025-49132 [CRITICAL] CWE-94 Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
## Impact
Using the `/locales/locale.json` with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code, without being authenticated.
With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (`.env` or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc.
## Patches
This vulnerability was patched by https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08ab
OSV
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
osv·2025-06-19
CVE-2025-49132 [CRITICAL] Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
## Impact
Using the `/locales/locale.json` with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code, without being authenticated.
With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (`.env` or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc.
## Patches
This vulnerability was patched by https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08ab
VulnCheck
pterodactyl panel Improper Control of Generation of Code ('Code Injection')
vulncheck·2025·CVSS 10.0
CVE-2025-49132 [CRITICAL] pterodactyl panel Improper Control of Generation of Code ('Code Injection')
pterodactyl panel Improper Control of Generation of Code ('Code Injection')
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
Affected: pterodactyl panel
Required
No detection rules found.
Exploit-DB
Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)
exploitdb·2025-06-26·CVSS 10.0
CVE-2025-49132 [CRITICAL] Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)
Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)
---
# Exploit Title: Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)
# Date: 22/06/2025
# Exploit Author: Zen-kun04
# Vendor Homepage: https://pterodactyl.io/
# Software Link: https://github.com/pterodactyl/panel
# Version: {data['username']}:{data['password']}@{data['host']}:{data['port']}/{data['database']}{colorama.Fore.RESET}")
except json.JSONDecodeError:
print(colorama.Fore.RED + "Not vulnerable" + colorama.Fore.RESET)
except TypeError:
print(colorama.Fore.YELLOW + "Vulnerable but no database" + colorama.Fore.RESET)
else:
print(colorama.Fore.RED + "Not vulnerable" + colorama.Fore.RESET)
except requests.RequestException as e:
if "NameResolutionError" in str(e):
print(colorama.Fore.RED + "Invalid target or unable to reso
Nuclei
Pterodactyl Panel - Remote Code Execution
nuclei·CVSS 10.0
CVE-2025-49132 [CRITICAL] Pterodactyl Panel - Remote Code Execution
Pterodactyl Panel - Remote Code Execution
Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated.
Template:
id: CVE-2025-49132
info:
name: Pterodactyl Panel - Remote Code Execution
severity: critical
author: darses
description: |
Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated.
impact: |
With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's serv
2025-06-20
Published
Exploited in the wild