CVE-2025-69198
📋 TL;DR
This CVE describes a race condition vulnerability in Pterodactyl Panel where concurrent requests can bypass resource limits. Malicious users can create more databases, port allocations, or backups than allowed, potentially denying resources to others or exhausting system capacity. This affects all Pterodactyl Panel installations prior to version 1.12.0.
💻 Affected Systems
- Pterodactyl Panel
📦 What is this software?
Panel by Pterodactyl
⚠️ Risk & Real-World Impact
Worst Case
Complete exhaustion of node resources (ports, backup storage, databases) leading to denial of service for all users on the system and potential system instability.
Likely Case
Malicious users exceeding their allocated resource quotas, consuming shared resources that should be limited, and potentially impacting other users on the same node.
If Mitigated
Limited impact if proper network segmentation and resource monitoring are in place, though resource exhaustion could still occur within isolated segments.
🎯 Exploit Status
Exploitation requires authenticated access and ability to send concurrent requests. The race condition is straightforward to trigger with basic scripting.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.0
Vendor Advisory: https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g
Restart Required: Yes
Instructions:
1. Backup your Pterodactyl installation and database. 2. Update to version 1.12.0 using the official update process. 3. Restart the Pterodactyl queue worker and web server. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Rate Limiting at Network Level
linuxImplement network-level rate limiting for authenticated endpoints to reduce concurrent request capability
# Example using nginx: limit_req_zone $binary_remote_addr zone=auth:10m rate=10r/s;
# Then apply to location blocks with: limit_req zone=auth burst=20 nodelay;
Resource Monitoring and Alerts
allMonitor resource usage and set alerts for abnormal spikes in database, port, or backup creation
# Monitor with tools like Prometheus/Grafana or custom scripts
# Alert on resource creation exceeding normal thresholds
🧯 If You Can't Patch
- Implement strict rate limiting at the application firewall or reverse proxy level
- Monitor resource usage closely and implement automated resource cleanup for abnormal spikes
🔍 How to Verify
Check if Vulnerable:
Check Pterodactyl Panel version. If version is below 1.12.0, the system is vulnerable.Check Version:
php artisan p:info | grep 'Panel Version'Verify Fix Applied:
Verify version is 1.12.0 or higher and test resource creation with concurrent requests to ensure limits are enforced.📡 Detection & Monitoring
Log Indicators:
- Multiple concurrent resource creation requests from same user
- Resource creation exceeding configured limits in logs
- Error logs showing resource constraint violations
Network Indicators:
- Bursts of POST requests to resource creation endpoints
- High concurrent connection counts from single IPs
SIEM Query:
source="pterodactyl" ("created database" OR "created allocation" OR "created backup") | stats count by user, src_ip | where count > threshold