CVE-2025-69197
Replay Vulnerability in Pterodactyl 2FA Allows Unauthorized Access
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pterodactyl | panel | 1.12.0 |
| pterodactyl | panel | to 1.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-294 | A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Pterodactyl game server management panel versions 1.11.11 and below. It involves the two-factor authentication (2FA) system using Time-based One-Time Passwords (TOTP). Normally, a TOTP token should only be used once during its validity window (about 60 seconds). However, due to improper handling, the system does not mark a token as used after login, allowing an attacker who has intercepted a valid token (for example, during a screen share) and knows the username and password to reuse that token within its validity period to authenticate successfully. This flaw is classified as improper authentication and was fixed in version 1.12.0. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized access to your Pterodactyl panel account if an attacker intercepts a valid TOTP token and already knows your username and password. The attacker can reuse the intercepted token within its 60-second validity window to bypass the 2FA protection, compromising the confidentiality of your account. However, it does not affect data integrity or availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the reuse of TOTP tokens during 2FA in Pterodactyl panel versions 1.11.11 and below. Detection can focus on monitoring authentication logs for multiple successful logins using the same TOTP token within its 60-second validity window. Since the system does not mark tokens as used, repeated use of identical TOTP tokens in a short timeframe may indicate exploitation. Specific commands depend on your logging setup, but generally, you can search authentication logs for repeated TOTP token usage or suspicious login patterns. For example, using grep or similar tools to search logs for repeated 2FA token entries or unusual login timestamps. However, no exact commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the Pterodactyl panel to version 1.12.0 or later, where the issue is fixed. The fix includes enhanced TOTP verification that prevents token reuse by tracking the timestamp of the last successful TOTP authentication and rejecting older tokens. Additionally, ensure that 2FA settings are properly managed so that toggling 2FA resets authentication timestamps, and monitor for any suspicious login activity. Applying the official patch or update is the most effective mitigation. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker who intercepts a valid 2FA token to reuse it within its validity window, potentially leading to unauthorized access to user accounts. Such unauthorized access can compromise the confidentiality of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information. Therefore, the vulnerability poses a risk to maintaining compliance with these regulations by weakening the effectiveness of two-factor authentication controls. [1]