CVE-2025-49132
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-20

Last updated on: 2025-06-23

Assigner: GitHub, Inc.

Description
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-20
Last Modified
2025-06-23
Generated
2026-05-06
AI Q&A
2025-06-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49132
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-49132 is a critical security vulnerability in the Pterodactyl game server management panel prior to version 1.11.11. It allows an unauthenticated attacker to execute arbitrary code on the server by exploiting improper input validation in the /locales/locale.json endpoint when used with the locale and namespace query parameters. This means an attacker can run malicious code remotely without needing to log in or interact with users. [2, 3]


How can this vulnerability impact me? :

Exploitation of this vulnerability can lead to a full compromise of the server hosting the Pterodactyl Panel. An attacker could read sensitive configuration files such as credentials, extract confidential database information including usernames, emails, hashed passwords, and IP addresses, and access files on servers managed by the panel. It also allows for complete data modification and service disruption, making the impact severe and wide-ranging. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unauthorized or suspicious requests to the /locales/locale.json endpoint with locale and namespace query parameters. Since the vulnerability involves unauthenticated arbitrary code execution via these parameters, inspecting web server logs or using network monitoring tools to identify such requests is recommended. Specific commands are not provided in the resources, but you can use tools like curl or wget to test the endpoint, for example: curl -v 'http://your-pterodactyl-panel.local/locales/locale.json?locale=en&namespace=default'. Additionally, deploying a Web Application Firewall (WAF) with rules targeting this endpoint can help detect and block exploit attempts. [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate and primary mitigation step is to update the Pterodactyl Panel software to version 1.11.11 or later, which includes the official patch fixing this vulnerability. If updating immediately is not possible, disabling the /locales/locale.json endpoint at the webserver level can mitigate the risk but will break localization features. Additionally, deploying an external Web Application Firewall (WAF), such as Cloudflare's WAF with appropriate rules, can help block exploitation attempts. There are no effective software workarounds besides patching. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart