CVE-2025-49132: Pterodactyl Panel Unauthenticated Remote Code Execution Vulnerability

CVE-2025-49132 identifies a critical unauthenticated remote code execution vulnerability in Pterodactyl Panel that enables attackers to execute arbitrary code without authentication through the /locales/locale.json endpoint using malicious locale and namespace query parameters. This vulnerability affects all Pterodactyl Panel versions prior to 1.11.11, achieving the maximum CVSS score of 10.0 (Critical severity) with EPSS score of 23.7% exploitation probability indicating immediate and widespread threat to game server management infrastructure. The vulnerability details reveal that insufficient input validation in the locale handling mechanism allows attackers to perform path traversal attacks and execute arbitrary code remotely, creating substantial exploit risk for game server hosting providers, Minecraft server administrators, and organizations using Pterodactyl Panel for game server management without requiring any authentication or user interaction. The technical root cause lies in Pterodactyl Panel's LocaleController class where inadequate sanitization of locale and namespace parameters enables path traversal and code execution attacks, classified as CWE-94 (Improper Control of Generation of Code). The vulnerability specifically affects the __invoke method in Pterodactyl\Http\Controllers\Base\LocaleController where improper validation allows attackers to manipulate file paths and include arbitrary files through directory traversal techniques using crafted namespace parameters like "../../../../../../etc/passwd" or malicious code injection payloads. The fix involves implementing strict validation rules through a new LocaleRequest class that enforces locale parameters as exactly two lowercase letters and namespace parameters as simple lowercase letter strings, preventing path traversal and code injection attacks. Mitigation strategies require immediate upgrading to Pterodactyl Panel version 1.11.11 which implements proper input validation and sanitization for locale handling endpoints. Organizations should prioritize identifying all Pterodactyl Panel installations using vulnerable versions, implement Web Application Firewall (WAF) protection as temporary mitigation, disable the /locales/locale.json endpoint if localization features are not critical, monitor for exploitation attempts targeting the locale endpoint, and maintain updated CVE database records to track similar path traversal and code execution vulnerabilities that could compromise game server management systems through unauthenticated remote attacks.