Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-49132
CVE-2025-49132:
PHP vulnerability analysis and mitigation
Overview
Pterodactyl Panel, a free open-source game server management panel, was found to contain a critical vulnerability (CVE-2025-49132) that allows unauthenticated arbitrary remote code execution. The vulnerability affects versions prior to 1.11.11 and was discovered in June 2025. The issue involves the /locales/locale.json endpoint with locale and namespace query parameters that could be exploited without authentication (GitHub Advisory).
Technical details
The vulnerability exists in the locale handling functionality of Pterodactyl Panel, specifically in the /locales/locale.json endpoint. When exploited, it allows attackers to execute arbitrary code without requiring authentication. The vulnerability has received a CVSS v3.1 score of 10.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed (GitHub Advisory).
Impact
The vulnerability's impact is severe as it allows attackers to gain complete access to the Panel's server, read credentials from the Panel's config files, extract sensitive information from the database (including usernames, emails, names, hashed passwords, and IP addresses), and access files of servers managed by the panel. The scope of possible exploitation is extensive, with potential for complete system compromise (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been patched in version 1.11.11. For those unable to update immediately, there are limited workarounds available. While disabling the /locales/locale.json endpoint at the webserver level is possible, it would break the localization feature. An alternative mitigation involves using an external Web Application Firewall (WAF), such as Cloudflare's WAF with their default ruleset (Pro plan or above). However, updating to v1.11.11 or manually applying the patch is strongly recommended as the most effective mitigation (GitHub Advisory).
Community reactions
The release of the patch has garnered significant attention from the security community, with multiple reactions on GitHub indicating the severity of the vulnerability. The patch release received 16 thumbs up reactions, 14 eyes reactions, and 1 rocket reaction, showing strong community engagement and recognition of its importance (GitHub Release).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management