{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T05:57:53.140","vulnerabilities":[{"cve":{"id":"CVE-2025-69198","sourceIdentifier":"security-advisories@github.com","published":"2026-01-19T19:16:03.023","lastModified":"2026-02-02T20:42:41.630","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle. However, in versions prior to 1.12.0, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time. As a result a server would be able to create more databases, allocations, or backups than configured. A malicious user is able to deny resources to other users on the system, and may be able to excessively consume the limited allocations for a node, or fill up backup space faster than is allowed by the system. Version 1.12.0 fixes the issue."},{"lang":"es","value":"Pterodactyl es un panel de gestión de servidores de juegos gratuito y de código abierto. Pterodactyl implementa límites de tasa que se aplican al número total de recursos (p. ej., bases de datos, asignaciones de puertos o copias de seguridad) que pueden existir para un servidor individual. Estos límites de recursos se aplican por servidor y se validan durante el ciclo de solicitud. Sin embargo, en versiones anteriores a la 1.12.0, es posible que un usuario malintencionado envíe un volumen masivo de solicitudes al mismo tiempo que crearía más recursos de los asignados al servidor. Esto se debe a que la validación ocurre temprano en el ciclo de solicitud y no bloquea el recurso objetivo mientras se está procesando. Como resultado, enviar un gran volumen de solicitudes al mismo tiempo haría que todas esas solicitudes se validaran como que no utilizan ninguno de los recursos objetivo, y luego todas crearían los recursos al mismo tiempo. Como resultado, un servidor podría crear más bases de datos, asignaciones o copias de seguridad de las configuradas. Un usuario malintencionado puede denegar recursos a otros usuarios en el sistema y puede consumir excesivamente las asignaciones limitadas para un nodo, o llenar el espacio de copia de seguridad más rápido de lo permitido por el sistema. La versión 1.12.0 corrige el problema."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-400"},{"lang":"en","value":"CWE-413"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pterodactyl:panel:*:*:*:*:*:*:*:*","versionEndExcluding":"1.12.0","matchCriteriaId":"6163FD74-C4E9-4B5C-82B5-9BB139F9FE9D"}]}]}],"references":[{"url":"https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}