Multiple Use of TOTP in Pterodactyl Game Server Management Panel
CVE-2025-69197

6.5MEDIUM

Key Information:

Vendor

Pterodactyl

Status
Panel
Vendor
CVE Published:
6 January 2026

What is CVE-2025-69197?

The Pterodactyl Panel, an open-source game server management solution, has a vulnerability where Time-Based One-Time Password (TOTP) tokens can be reused within their valid time frame. This occurs because used tokens are not properly marked as invalid post-authentication, enabling an attacker who intercepts a valid token to exploit this flaw. By using the intercepted token alongside a known username and password during the 60-second validity window, an unauthorized user can gain access to the account. This critical issue was addressed and resolved in version 1.12.0.

Affected Version(s)

panel < 1.12.0

References

https://github.com/pterodactyl/panel/security/advisories/...
x_refsource_CONFIRM
https://github.com/pterodactyl/panel/commit/032bf076d92bb...
x_refsource_MISC
https://github.com/pterodactyl/panel/releases/tag/v1.12.0
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.