VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-khx3-uazp-w3ht

Essentials
Severities (16)
References (7)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-khx3-uazp-w3ht
Aliases	CVE-2025-69197 GHSA-rgmp-4873-r683
Summary	Pterodactyl TOTPs can be reused during validity window When a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently marked as used in the system allowing an attacker that intercepts that token to then use it in addition to a known username/password during the token validity window. This vulnerability requires that an attacker already be in possession of a valid username and password combination, and intercept a valid 2FA token (for example, during a screen share). The token must then be provided in addition to the username and password during the limited token validity window. The validity window is ~60 seconds as the Panel allows at most one additional window to the current one, each window being 30 seconds.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-287	Improper Authentication
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-294	Authentication Bypass by Capture-replay

System	Score	Found at
epss	0.00012	https://api.first.org/data/v1/epss?cve=CVE-2025-69197
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-rgmp-4873-r683
cvssv3.1	6.5	https://github.com/pterodactyl/panel
generic_textual	MODERATE	https://github.com/pterodactyl/panel
cvssv3.1	6.5	https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf
generic_textual	MODERATE	https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf
ssvc	Track	https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf
cvssv3.1	6.5	https://github.com/pterodactyl/panel/releases/tag/v1.12.0
generic_textual	MODERATE	https://github.com/pterodactyl/panel/releases/tag/v1.12.0
ssvc	Track	https://github.com/pterodactyl/panel/releases/tag/v1.12.0
cvssv3.1	6.5	https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683
cvssv3.1_qr	MODERATE	https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683
generic_textual	MODERATE	https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683
ssvc	Track	https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2025-69197
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-69197

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-69197
		https://github.com/pterodactyl/panel
		https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf
		https://github.com/pterodactyl/panel/releases/tag/v1.12.0
CVE-2025-69197		https://nvd.nist.gov/vuln/detail/CVE-2025-69197
GHSA-rgmp-4873-r683		https://github.com/advisories/GHSA-rgmp-4873-r683
GHSA-rgmp-4873-r683		https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/pterodactyl/panel

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/ Found at https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/pterodactyl/panel/releases/tag/v1.12.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/ Found at https://github.com/pterodactyl/panel/releases/tag/v1.12.0

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/ Found at https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-69197

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.01641
EPSS Score	0.00012
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:49:23.433552+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pterodactyl/panel/CVE-2025-69197.yml	38.6.0