CVE-2025-49132: Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
(updated )
Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code, without being authenticated.
With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel’s server, read credentials from the Panel’s config (.env or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc.
References
- github.com/advisories/GHSA-24wv-6c99-f843
- github.com/pterodactyl/panel
- github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
- github.com/pterodactyl/panel/releases/tag/v1.11.11
- github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
- nvd.nist.gov/vuln/detail/CVE-2025-49132
Code Behaviors & Features
Detect and mitigate CVE-2025-49132 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →