CVE-2025-69199
Unknown Unknown - Not Provided
WebSocket Rate Limiting Bypass in Pterodactyl Wings Causes DoS

Publication date: 2026-01-19

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu. Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings. Version 1.12.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69199
EUVD
EUVD-2025-206299
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pterodactyl wings to 1.12.0 (exc)
pterodactyl wings 1.12.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Wings server control plane for Pterodactyl versions prior to 1.12.0. The WebSocket endpoints lack proper rate limiting and throttling, allowing a malicious user to open thousands of WebSocket connections and send or request excessive amounts of data. This leads to uncontrolled consumption of network bandwidth, CPU, and memory resources on the host system, potentially causing denial-of-service (DoS) conditions. There are no limits on the number of connections, request rates, or message sizes, making the system vulnerable to overload attacks. [1]

Compliance Impact

This vulnerability impacts system availability by enabling denial-of-service conditions through uncontrolled resource consumption. However, it does not affect the confidentiality or integrity of data. Therefore, while it may pose operational risks, it does not directly compromise compliance with data protection standards such as GDPR or HIPAA, which primarily focus on data confidentiality and integrity. [1]

Impact Analysis

The vulnerability can cause denial-of-service (DoS) conditions by overloading the host system's network, CPU, and memory resources. An attacker can exploit it remotely with low privileges and no user interaction, leading to system unavailability and degraded performance. This impacts the availability of the Wings server control plane, potentially disrupting game server management operations. [1]

Detection Guidance

This vulnerability can be detected by monitoring for an unusually high number of WebSocket connections to the Wings server, as well as excessive data volume being sent or received over these connections. Network monitoring tools can be used to identify spikes in WebSocket traffic and resource usage (CPU and memory) on the host system. Specific commands are not provided in the resources, but general approaches include using network analysis tools like 'netstat' or 'ss' to count WebSocket connections, and system monitoring tools like 'top', 'htop', or 'vmstat' to observe CPU and memory usage. Additionally, inspecting logs for repeated or excessive WebSocket connection attempts may help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Wings package to version 1.12.0 or later, where the vulnerability has been patched by implementing proper rate limiting and throttling on WebSocket connections. Until the upgrade can be applied, consider implementing network-level controls such as limiting the number of concurrent WebSocket connections allowed, applying rate limiting on WebSocket traffic via firewall or proxy, and monitoring resource usage to detect and respond to attacks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69199. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart