CVE-2025-49132 Scanner

Pterodactyl Panel is an open-source tool designed for managing game servers. It is widely utilized by game administrators and hosting providers to streamline server deployment and maintenance. The software provides a unified interface through which users can easily manage multiple game server instances across different physical or virtual machines. Its user-friendly design and flexibility make it an attractive solution for those needing efficient game server management. Additionally, its open-source nature allows developers to customize the panel to fit specific needs. This versatility and the wide range of supported games have led to its widespread adoption in the gaming community.

The vulnerability in question is a Remote Code Execution (RCE) flaw within the Pterodactyl Panel. This type of vulnerability allows an attacker to execute arbitrary code on the server hosting the panel. By exploiting this flaw, an unauthenticated user can potentially run malicious commands, which in turn can compromise the entire server. This vulnerability is particularly dangerous due to its high severity, making affected systems highly susceptible to full server compromise. It underscores the critical importance of robust security measures and timely software updates.

The vulnerability is triggered by accessing the endpoint '/locales/locale.json' with specific query parameters such as 'locale' and 'namespace'. A crafted request can manipulate these parameters to escalate privileges and execute arbitrary commands. The server’s response reveals application details that indicate successful exploitation. Such exploitation is enabled by improper sanitization of user input, which allows malicious actors to navigate through sensitive directories and access configuration files. This exploitation method can subsequently lead to severe security breaches.

If this vulnerability is exploited, attackers could gain unauthorized access to the server and the data it contains. This could lead to data exfiltration, unauthorized data modifications, or complete system takeover. Servers running Pterodactyl Panel could be used to launch further attacks within the network or to other systems. Sensitive information such as user credentials, configuration details, and server data could be exposed and manipulated. Overall, the exploitation of this vulnerability poses significant security and operational risks for affected systems.

REFERENCES

• https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
• https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
• https://github.com/pterodactyl/panel/releases/tag/v1.11