Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-24wv-6c99-f843

CRITICAL

Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution

Also known asCVE-2025-49132
Published
Jun 19, 2025
Updated
Jun 20, 2025
Affected
1 pkg
Patched
1 / 1
Exploits
12 known

EPSS Exploitation Probability

via FIRST.org ↗
13.1%probability of exploitation in next 30 days
Moderate Risk96th percentile+0.58%
6.79%16.4%25.9%35.5%25.5%13.1%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐘pterodactyl/panel

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Impact

Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code, without being authenticated.

With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (.env or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc.

Patches

This vulnerability was patched by https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0 and was released under the v1.11.11 tag without any other code modifications compared to v1.11.10.

For those who need to patch their installations in-place or apply it on top of other code modifications, a patch file can be retrieved from https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0.patch and applied using git apply.

Workarounds

Other than patching the software, there is no workaround in this software. Disabling the /locales/locale.json endpoint at the webserver level is possible, but would break the localization feature wherever it is used.

The only other workaround relies on an external Web Application Firewall (WAF), such as Cloudflare's WAF with their default ruleset (requires Pro plan or above, Free doesn't have the proper ruleset) to mitigate this attack.

Updating to v1.11.11 or manually patching the software are the only recommended ways to completely mitigate this vulnerability.

User Notice

Shortly after the v1.11.11release and it's announcement, security researchers and malicious actors have been attempting to exploit this vulnerability. While there hasn't been any official confirmations of breaches or successful exploits of the vulnerability in the wild, it is only a matter of time for those who remain on unpatched versions without any workarounds in place.

The scope of this vulnerability cannot be fully described, anything is possible. It is of utmost importance that anyone running a vulnerable version of this software, patch it or update to the latest available version immediately.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagistpterodactyl/panelall versions1.11.11
Exploits & PoCs
12

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

EDB-52341webappsmultiple

Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)

by Zen-kun04 · Jun 26, 2025

Exploit-DB Source

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for pterodactyl/panel. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update pterodactyl/panel to 1.11.11 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-24wv-6c99-f843 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-24wv-6c99-f843 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-24wv-6c99-f843. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Impact Using the `/locales/locale.json` with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code, without being authenticated. With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (`.env` or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the pane
O3 Security · Impact-Aware SCA

Is GHSA-24wv-6c99-f843 in your dependencies?

O3 detects GHSA-24wv-6c99-f843 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works