How to fix EUVD-2025-18765?

Within 24 hours: Immediately inventory all Pterodactyl installations and identify version numbers; isolate or restrict external access to affected instances if upgrade is not immediately possible. Within 7 days: Upgrade all Pterodactyl installations to version 1.11.11 or later; conduct post-patch validation. Within 30 days: Review access logs for signs of exploitation; reset any credentials stored in panel config files; audit database access and managed game server integrity.

EUVD-2025-18765

| CVE-2025-49132 CRITICAL

2025-06-20 [email protected]

GHSA-24wv-6c99-f843

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-18765

PoC Detected

Jun 23, 2025 - 20:16 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 17:15 nvd

CRITICAL 10.0

Description

Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.

Analysis

Pterodactyl game server management panel prior to version 1.11.11 contains an unauthenticated remote code execution via the /locales/locale.json endpoint. By manipulating the locale and namespace query parameters, attackers can execute arbitrary code on the panel server, gaining control over all managed game servers.

Technical Context

The /locales/locale.json endpoint processes locale and namespace parameters without proper sanitization, allowing code injection that executes on the Pterodactyl panel server. The panel manages Docker-based game server instances and stores database credentials, API keys, and server configurations.

Affected Products

['Pterodactyl Panel < 1.11.11']

Remediation

Update to Pterodactyl 1.11.11 or later immediately. Restrict panel access via firewall rules. Rotate database credentials and API keys. Audit managed servers for unauthorized modifications.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +12.2

CVSS: +50

POC: +20

EUVD-2025-18765 vulnerability details – vuln.today

Back

EUVD-2025-18765

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-18765

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code