Name of the Vulnerable Software and Affected Versions:

Pterodactyl versions prior to 1.11.11

Description:

Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code without being authenticated. This could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc.

Recommendations:

To resolve the issue, update to version 1.11.11 or later. For those running modified versions of the Panel and using Git, apply the patch using `git apply` from https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0.patch. As a temporary workaround, consider using an external Web Application Firewall (WAF) to mitigate the attack, but note that this is not a substitute for patching the software.