6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-69197

CVE-2025-69197: Pterodactyl TOTPs can be reused during validity window

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-69197

CVE-2025-69197:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pterodactyl/panel	composer	< 1.12.0	1.12.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows for the reuse of a Time-based One-Time Password (TOTP) within its short validity window, undermining the security of two-factor authentication. The analysis of the patch commit 032bf076d92bb2f929fa69c1bac1b89f26b8badf reveals that the weakness was located in the __invoke method of the LoginCheckpointController. This controller is responsible for verifying the 2FA token after a user has provided their primary credentials. The original code only validated the token's correctness for the current time, without invalidating it upon use. The fix involves storing the timestamp of the last successful TOTP authentication and checking against it on subsequent login attempts using the verifyKeyNewer function. This ensures that each token can be used only once. Therefore, the Pterodactyl\Http\Controllers\Auth\LoginCheckpointController::__invoke function is the precise location of the vulnerability.

Vulnerable functions

Pterodactyl\Http\Controllers\Auth\LoginCheckpointController::__invoke

app/Http/Controllers/Auth/LoginCheckpointController.php

This function handles the 2FA verification during the login process. The original implementation used the `verifyKey` method, which checked if a TOTP token was valid but did not prevent it from being used multiple times within its validity window. An attacker with the user's credentials and a captured TOTP token could reuse it to authenticate. The patch replaces `verifyKey` with `verifyKeyNewer` and introduces a timestamp check (`totp_authenticated_at`) to ensure a token can only be used once.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-69197: Pterodactyl TOTPs can be reused during validity window

CVE-2025-69197:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.5

6.5

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-69197: Pterodactyl TOTPs can be reused during validity window

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI