CVE-2025-69199
published 2026-01-19CVE-2025-69199: Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.25%
16.3th percentile
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu. Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings. Version 1.12.0 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | pterodactyl_wings | >= 0 < 1.12.0 | 1.12.0 |
| pterodactyl | panel | < 1.12.0 | 1.12.0 |
| pterodactyl | wings | < 1.12.0 | 1.12.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks in github.com/pterodactyl/wings
osv·2026-02-03
CVE-2025-69199 Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks in github.com/pterodactyl/wings
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks in github.com/pterodactyl/wings
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks in github.com/pterodactyl/wings
OSV
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks
osv·2026-01-20
CVE-2025-69199 [HIGH] Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks
### Summary
Websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu.
Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings.
GHSA
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks
ghsa·2026-01-20
CVE-2025-69199 [HIGH] CWE-400 Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks
### Summary
Websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu.
Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings.
No detection rules found.
No public exploits indexed.
2026-01-19
Published