Search for packages
| purl | pkg:composer/pterodactyl/panel@1.4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3whz-s48q-cqay
Aliases: CVE-2025-49132 GHSA-24wv-6c99-f843 |
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution Using the `/locales/locale.json` with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code, without being authenticated. With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (`.env` or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc. |
Affected by 6 other vulnerabilities. |
|
VCID-4dmv-578h-yffr
Aliases: CVE-2021-41273 GHSA-wwgq-9jhf-qgw6 |
Cross-Site Request Forgery (CSRF) Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems. |
Affected by 10 other vulnerabilities. |
|
VCID-8spz-vf88-ffg6
Aliases: CVE-2025-68954 GHSA-8c39-xppg-479c |
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced Pterodactyl does not revoke _active_ SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. |
Affected by 2 other vulnerabilities. |
|
VCID-9b11-582z-9uad
Aliases: CVE-2021-41176 GHSA-m49f-hcxp-6hm6 |
Cross-Site Request Forgery (CSRF) Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go.This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed |
Affected by 11 other vulnerabilities. |
|
VCID-bws3-gcda-5yfp
Aliases: CVE-2024-34067 GHSA-384w-wffr-x63q |
Pterodactyl panel's admin area vulnerable to Cross-site Scripting Importing a malicious egg or gaining access to wings instance could lead to XSS on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted: - Egg Docker images - Egg variables: - Name - Environment variable - Default value - Description - Validation rules Additionally, certain fields would reflect malicious input, but it would require the user knowingly entering such input to have an impact. To iterate, this would require an administrator to perform actions and can't be triggered by a normal panel user. |
Affected by 8 other vulnerabilities. |
|
VCID-euq3-t72s-v7hx
Aliases: CVE-2025-69198 GHSA-jw2v-cq5x-q68g |
Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle. However, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time. As a result a server would be able to create more databases, allocations, or backups than configured. |
Affected by 2 other vulnerabilities. |
|
VCID-ex7c-s6tk-cub4
Aliases: CVE-2026-26016 GHSA-g7vw-f8p5-c728 |
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization A missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with. Any authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes. _This vulnerability requires a user to acquire a secret access token for a node. We rated this issue based on potential worst outcome. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token._ |
Affected by 0 other vulnerabilities. |
|
VCID-k7th-zxza-suax
Aliases: GHSA-mgr9-6c2j-jxrq |
Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host” When an administrative user creates a new database host they are prompted to provide a `Host` value which is expected to be a domain or IP address. When an invalid value is encountered and passed back to `gethostaddr` and/or directly to the MySQL connection tooling, an error is returned. This error is then passed back along to the front-end, but was not properly sanitized when rendered. Therefore it is possible for an admin to _knowingly_ paste a malicious payload such as `<script>prompt(document.domain)</script>` into the `Host` field and XSS themselves. |
Affected by 2 other vulnerabilities. |
|
VCID-khx3-uazp-w3ht
Aliases: CVE-2025-69197 GHSA-rgmp-4873-r683 |
Pterodactyl TOTPs can be reused during validity window When a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently marked as used in the system allowing an attacker that intercepts that token to then use it in addition to a known username/password during the token validity window. This vulnerability requires that an attacker already be in possession of a valid username and password combination, and intercept a valid 2FA token (for example, during a screen share). The token must then be provided in addition to the username and password during the limited token validity window. The validity window is ~60 seconds as the Panel allows at most one additional window to the current one, each window being 30 seconds. |
Affected by 2 other vulnerabilities. |
|
VCID-mhsu-cft3-vqgu
Aliases: CVE-2021-41129 GHSA-5vfx-8w6m-h3v4 |
Deserialization of Untrusted Data Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `LoginCheckpointController@__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `confirmation_token` which is expected to be a character random alpha-numeric string that references a value within the Panel's cache containing a `user_id` value. This value is then used to fetch the user that attempted to login, and lookup their two-factor authentication token. Due to the design of this system, any element in the cache that contains only digits could be referenced by a malicious user, and whatever value is stored at that position would be used as the `user_id`. There are a few different areas of the Panel that store values into the cache that are integers, and a user who determines what those cache keys are could pass one of those keys which would cause this code pathway to reference an arbitrary user. At its heart this is a high-risk login bypass vulnerability. However, there are a few additional conditions that must be met in order for this to be successfully executed, notably: ) The account referenced by the malicious cache key must have two-factor authentication enabled. An account without two-factor authentication would cause an exception to be triggered by the authentication logic, thusly exiting this authentication flow. ) Even if the malicious user is able to reference a valid cache key that references a valid user account with two-factor authentication, they must provide a valid two-factor authentication token. However, due to the design of this endpoint once a valid user account is found with two-factor authentication enabled there is no rate-limiting present, thusly allowing an attacker to brute force combinations until successful. This leads to a third condition that must be met: ) For the duration of this attack sequence the cache key being referenced must continue to exist with a valid `user_id` value. Depending on the specific key being used for this attack, this value may disappear quickly, or be changed by other random user interactions on the Panel, outside the control of the attacker. In order to mitigate this vulnerability the underlying authentication logic was changed to use an encrypted session store that the user is therefore unable to control the value of. This completely removed the use of a user-controlled value being used. In addition, the code was audited to ensure this type of vulnerability is not present elsewhere. |
Affected by 12 other vulnerabilities. |
|
VCID-px9v-aj25-qba9
Aliases: CVE-2024-49762 GHSA-c479-wq8g-57hr |
Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user's password in plain text. If a malicious user obtains access to these logs they could *potentially* authenticate against a user's account; assuming they are able to discover the account's email address or username **separately**. |
Affected by 7 other vulnerabilities. |
|
VCID-rzhf-4asb-tqe8
Aliases: GHSA-7v3x-h7r2-34jv GMS-2022-28 |
Insufficient Session Expiration in Pterodactyl API ### Impact A vulnerability exists in Pterodactyl Panel `<= 1.6.6` that could allow a malicious attacker that compromises an API key to generate an authenticated user session that is not revoked when the API key is deleted, thus allowing the malicious user to remain logged in as the user the key belonged to. It is important to note that **a malicious user must first compromise an existing API key for a user to exploit this issue**. It cannot be exploited by chance, and requires a coordinated attack against an individual account using a known API key. ### Patches This issue has been addressed in the `v1.7.0` release of Pterodactyl Panel. ### Workarounds Those not wishing to upgrade may apply the change below: ```diff diff --git a/app/Http/Middleware/Api/AuthenticateKey.php b/app/Http/Middleware/Api/AuthenticateKey.php index eb25dac6..857bfab2 100644 --- a/app/Http/Middleware/Api/AuthenticateKey.php +++ b/app/Http/Middleware/Api/AuthenticateKey.php @@ -70,7 +70,7 @@ class AuthenticateKey } else { $model = $this->authenticateApiKey($request->bearerToken(), $keyType); - $this->auth->guard()->loginUsingId($model->user_id); + $this->auth->guard()->onceUsingId($model->user_id); } ``` ### For more information If you have any questions or comments about this advisory please reach out to `Tactical Fish#8008` on [Discord](https://discord.gg/pterodactyl) or email `dane@pterodactyl.io`. |
Affected by 9 other vulnerabilities. |
|
VCID-y8bz-8ura-hqc3
Aliases: GHSA-hr7j-63v7-vj7g |
Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked. This can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||