CVE-2025-49132
📋 TL;DR
CVE-2025-49132 is a critical remote code execution vulnerability in Pterodactyl Panel that allows unauthenticated attackers to execute arbitrary code via specially crafted requests to the /locales/locale.json endpoint. This affects all Pterodactyl Panel installations prior to version 1.11.11, potentially compromising the entire server infrastructure.
💻 Affected Systems
- Pterodactyl Panel
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover, credential theft from panel configuration, database compromise, and access to all managed game servers and their files.
Likely Case
Unauthenticated remote code execution leading to server compromise, data exfiltration, and potential lateral movement to managed game servers.
If Mitigated
Limited impact if external WAF blocks malicious requests or network segmentation prevents lateral movement after initial compromise.
🎯 Exploit Status
The advisory provides technical details that could be used to create exploits. Unauthenticated access makes exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.11
Vendor Advisory: https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
Restart Required: Yes
Instructions:
1. Backup your panel configuration and database. 2. Update to version 1.11.11 using the official upgrade instructions. 3. Restart the panel service. 4. Verify the update was successful.
🔧 Temporary Workarounds
External WAF Protection
allDeploy a web application firewall to block malicious requests to /locales/locale.json endpoint
Network Access Control
linuxRestrict access to the panel to trusted IP addresses only
# Example iptables rule for Linux
sudo iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j DROP
sudo iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Immediately restrict network access to the panel using firewall rules to only allow trusted IPs
- Deploy an external WAF with rules to block requests containing suspicious parameters to /locales/locale.json
🔍 How to Verify
Check if Vulnerable:
Check if your Pterodactyl Panel version is below 1.11.11. The vulnerability exists if you can access /locales/locale.json with locale and namespace parameters.Check Version:
php artisan p:info | grep 'Panel Version'Verify Fix Applied:
Confirm panel version is 1.11.11 or higher and test that /locales/locale.json endpoint properly validates input parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /locales/locale.json with locale and namespace parameters
- Multiple failed authentication attempts followed by locale.json access
- System commands or suspicious processes spawned from web server user
Network Indicators:
- HTTP requests to /locales/locale.json with encoded or suspicious parameters
- Outbound connections from panel server to unexpected destinations
SIEM Query:
source="web_access.log" AND uri_path="/locales/locale.json" AND (query_string="*locale=*" OR query_string="*namespace=*")