CVE-2025-69198Uncontrolled Resource Consumption in Panel

CWE-400Uncontrolled Resource ConsumptionCWE-413Improper Resource LockingCWE-667Improper LockingCWE-362Race Condition4 documents4 sources
Severity
6.0MEDIUMNVD
EPSS
0.0%
top 85.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pterodactyl Panel
Timeline
PublishedJan 19
Latest updateJan 20

Description

Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle. However, in versions prior to 1.12.0, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Affected Packages2 packages

NVDpterodactyl/panel< 1.12.0
Packagistpterodactyl/panel< 1.12.0

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted2026-01-20
OSV
Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted2026-01-20

🕵️Threat Intelligence

1
Wiz
CVE-2025-69198 Impact, Exploitability, and Mitigation Steps | Wiz