In 2025, Pterodactyl Panel received a security advisory for CVE-2025-49132, scored at CVSS 10.0 by the Common Vulnerability Scoring System. A 10.0 is the maximum possible severity rating. It means an unauthenticated remote attacker can compromise the target system completely, with no user interaction required.
If you self-host Pterodactyl Panel and have not updated to version 1.11.11 or later, your infrastructure is exposed. This post explains what the vulnerability is, how it works, and what to do right now.
What the Vulnerability Is
The vulnerability exists in the panel's localization handling system. Pterodactyl Panel supports multiple languages. When a user requests the interface in a specific locale, the panel loads the corresponding language file. The system did not properly validate the locale identifier provided by the user.
An attacker could supply a crafted locale string that included path traversal characters, for example ../../config/app. Instead of loading a language file, the panel would process an arbitrary file from the server's filesystem. This is called a Local File Inclusion (LFI) attack combined with path traversal.
If the referenced file contained PHP-executable content, the panel would execute it. This is Remote Code Execution (RCE). An attacker who successfully exploited this could:
- Execute arbitrary commands on the server running the panel
- Read sensitive configuration files including database credentials, SMTP credentials, and cloud storage API keys
- Establish persistent access to the host machine
- Pivot to connected Wings daemon nodes and game server containers
The attack required no authentication. Any HTTP request to the panel's locale endpoint with a malicious locale string was sufficient.
Who Is Affected
You are affected if:
- You self-host Pterodactyl Panel
- You run a version below 1.11.11
- The panel is exposed to the internet (which it almost always is by design)
This includes hosting companies running Pterodactyl for their customers, individual server owners who set up their own panel, and any organization using Pterodactyl to manage game servers.
Shared hosting customers on managed platforms like Space-Node are not directly affected because the panel instance is managed and patched by the provider.
The Fix
Upgrade to Pterodactyl Panel version 1.11.11. This version adds proper sanitization to the locale input, stripping path traversal characters before the value is used to load files.
The upgrade process for a standard Pterodactyl installation:
cd /var/www/pterodactyl
# Pull the latest release
curl -L https://github.com/pterodactyl/panel/releases/latest/download/panel.tar.gz | tar -xzv
# Set permissions
chmod -R 755 storage/* bootstrap/cache
# Install/update dependencies
composer install --no-dev --optimize-autoloader
# Run database migrations
php artisan migrate --seed --force
# Clear cached configuration
php artisan config:clear
php artisan cache:clear
php artisan view:clear
# Restart queue workers
php artisan queue:restart
# Restart web services
systemctl reload nginx php8.1-fpm
After the upgrade, verify the running version:
php artisan tinker --execute="echo app()->version();"
The output should read 1.11.11 or a later version.
Verifying You Were Not Already Compromised
If your panel was running a vulnerable version and was publicly accessible, check for signs of exploitation before assuming you are clean after patching.
Check web server access logs for unusual locale parameter requests:
# Replace with your actual access log path
grep -i "locale" /var/log/nginx/access.log | grep "\.\."
Any entries with .. in the locale parameter indicate attempted or successful path traversal.
Check for recently modified files outside of expected update paths:
find /var/www/pterodactyl -name "*.php" -newer /var/www/pterodactyl/artisan -type f
Files modified more recently than your last legitimate update deserve inspection.
Review your .env file for any credentials that may have been exposed and rotate them:
APP_KEYDB_PASSWORDMAIL_PASSWORD- Any
AWS_or cloud storage keys
Lessons for Panel Security Going Forward
This vulnerability was severe because of the combination: unauthenticated access, a path traversal that bypassed validation, and PHP's ability to execute included files. Each individual flaw amplified the others.
For anyone running Pterodactyl in production, apply these baseline practices:
Keep software updated. Pterodactyl releases are available on GitHub. Follow the repository for security advisories. Subscribe to the Pterodactyl subreddit where patch announcements are posted promptly.
Restrict panel access by IP where possible. If your admin team accesses the panel from a known IP range, a firewall rule limiting web access to those IPs eliminates the unauthenticated attack surface entirely.
Separate the panel from your Wings nodes. Run the web frontend on a different machine from the daemon. A compromised panel should not give direct filesystem access to your game server storage.
Audit your .env regularly. Rotate credentials on a schedule, not only after known incidents.
Space-Node's Response
Space-Node operates managed Pterodactyl infrastructure. Our panel instance was patched to 1.11.11 immediately upon the embargo lift. No customer data was accessible through this vulnerability on our systems.
If you host with Space-Node, no action is required on your part. If you self-host your own Pterodactyl installation, update now.