CVE-2025-49132

EPSS 12.18%
Veröffentlicht 20.06.2025 16:56:41
Zuletzt bearbeitet 23.06.2025 20:16:21
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerpterodactyl

≫

Produkt panel

Version < 1.11.11

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	12.18%	0.937

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843

https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0

https://github.com/pterodactyl/panel/releases/tag/v1.11.11

https://nvd.nist.gov/vuln/detail/CVE-2025-49132

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-49132

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-49132

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-49132