Remote Code Execution Vulnerability in Pterodactyl Game Server Management Panel
CVE-2025-49132

10CRITICAL

Key Information:

Vendor

Pterodactyl

Status
Panel
Vendor
CVE Published:
20 June 2025

What is CVE-2025-49132?

Pterodactyl, a widely used free and open-source game server management panel, has a significant vulnerability that allows unauthorized remote code execution. This occurs through the /locales/locale.json endpoint when specific query parameters are manipulated. Attackers exploiting this flaw can execute arbitrary commands, gaining access to sensitive server data, including configuration files and database information. A patch has been issued in version 1.11.11, and while there are no direct software workarounds, implementing a Web Application Firewall (WAF) is advisable to mitigate potential attacks.

Affected Version(s)

panel < 1.11.11

References

https://github.com/pterodactyl/panel/security/advisories/...
x_refsource_CONFIRM
https://github.com/pterodactyl/panel/commit/24c82b0e335fb...
x_refsource_MISC
https://github.com/pterodactyl/panel/releases/tag/v1.11.11
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-49132 : Remote Code Execution Vulnerability in Pterodactyl Game Server Management Panel