CVE-2025-49132

Name of the Vulnerable Software and Affected Versions Pterodactyl versions prior to 1.11.11

Description An unauthenticated malicious actor can execute arbitrary code by using the '/locales/locale.json' endpoint with the locale and namespace query parameters. This flaw allows for complete server compromise, including accessing the panel server, reading credentials from the configuration (such as the .env file), extracting sensitive database information (including usernames, emails, and hashed passwords), and accessing files of servers managed by the panel. Security researchers and malicious actors have attempted to exploit this issue following its announcement.

Recommendations Update to version 1.11.11. For modified installations using Git, apply the official patch using git apply. As a temporary mitigation, use an external Web Application Firewall (WAF) to block the attack. Restrict access to the '/locales/locale.json' endpoint at the webserver level, although this will break localization features.