CVE-2025-69198
Race Condition in Pterodactyl Server Resource Limits Allows Overconsumption
Publication date: 2026-01-19
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pterodactyl | panel | to 1.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-667 | The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-413 | The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69198 is a vulnerability in Pterodactyl Panel versions prior to 1.12.0 where the system improperly enforces per-server resource limits due to lack of resource locking during request processing. Although resource limits are validated early, multiple concurrent requests can bypass this validation simultaneously, allowing a malicious user to create more resources (like databases, port allocations, or backups) than allowed. This happens because the target resource is not locked during processing, leading to a race condition that results in resource over-allocation. [1]
How can this vulnerability impact me? :
This vulnerability can lead to resource exhaustion on the affected system. A malicious user can deny resources to other users by creating excessive numbers of resources beyond configured limits, potentially consuming all node allocations or filling backup storage faster than intended. This impacts the availability of the system, possibly causing degraded service or denial of service conditions. The attack requires low privileges, no user interaction, and can be executed remotely over the network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for an unusually high volume of concurrent resource creation requests (such as databases, backups, or port allocations) targeting the Pterodactyl Panel API, especially from low-privilege users. Network or application logs should be analyzed for bursts of simultaneous requests to resource creation endpoints. Specific commands are not provided in the resources, but general approaches include using network monitoring tools (e.g., tcpdump, Wireshark) to capture traffic to the Pterodactyl API, and log analysis tools (e.g., grep, awk) to identify rapid, repeated POST requests to resource creation URLs. Additionally, checking for resource counts exceeding configured limits on servers may indicate exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Pterodactyl Panel to version 1.12.0 or later, where the vulnerability is fixed by implementing resource-specific rate limiting and concurrency controls with proper database locking. Until the upgrade can be applied, consider implementing external rate limiting on the API endpoints to throttle rapid resource creation requests per server, and monitor for suspicious activity. Applying network-level protections such as firewalls or API gateways to limit request rates may also help reduce risk. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. The vulnerability primarily affects resource availability by allowing resource exhaustion and denial of service, but it does not affect confidentiality or integrity of data, which are typically critical for compliance considerations. [1, 2]