CVE-2025-69197

Summary

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0.

Affected Software

VendorProductVersion RangeStatus
pterodactylpanel< 1.12.0affected

Weaknesses

  • CWE-287: CWE-287: Improper Authentication
  • CWE-294: CWE-294: Authentication Bypass by Capture-replay

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References