CVE-2025-49132 is a critical-severity code injection vulnerability in pterodactyl/panel (composer), affecting versions <= 1.11.10. It is fixed in 1.11.11.
Impact Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code, without being authenticated. With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (.env or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc. Patches This vulnerability was patched by https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0 and was released under the v1.11.11 tag without any other code modifications compared to v1.11.10. For those who need to patch their installations in-place or apply it on top of other code modifications, a patch file can be retrieved from <https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0.patch> and applied using git apply. Workarounds Other than patching the software, there is no workaround in this software. Disabling the /locales/locale.json endpoint at the webserver level is possible, but would break the localization feature wherever it is used. The only other workaround relies on an external Web Application Firewall (WAF), such as Cloudflare's WAF with their default ruleset (requires Pro plan or above, Free doesn't have the proper ruleset) to mitigate this attack. Updating to v1.11.11 or manually patching the software are the only recommended ways to completely mitigate this vulnerability. User Notice Shortly after the v1.11.11release and it's announcement, security researchers and malicious actors have been attempting to exploit this vulnerability. While there hasn't been any official confirmations of breaches or successful exploits of the vulnerability in the wild, it is only a matter of time for those who remain on unpatched versions without any workarounds in place. The scope of this vulnerability cannot be fully described, anything is possible. It is of utmost importance that anyone running a vulnerable version of this software, patch it or update to the latest available version immediately.
Untrusted input is evaluated as executable code within the application's runtime environment. Typical impact: arbitrary code execution within the application's privilege context.
CVE-2025-49132 has a CVSS score of 10.0 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.11.11). Upgrading removes the vulnerable code path.
composer
pterodactyl/panel (<= 1.11.10)pterodactyl/panel → 1.11.11 (composer)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2025-49132 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2025-49132 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2025-49132 in your environment →Upgrade pterodactyl/panel to 1.11.11 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2025-49132 is a critical-severity code injection vulnerability in pterodactyl/panel (composer), affecting versions <= 1.11.10. It is fixed in 1.11.11. Untrusted input is evaluated as executable code within the application's runtime environment.
CVE-2025-49132 has a CVSS score of 10.0 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
pterodactyl/panel (composer) versions <= 1.11.10 is affected.
Yes. CVE-2025-49132 is fixed in 1.11.11. Upgrade to this version or later.
Whether CVE-2025-49132 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade pterodactyl/panel to 1.11.11 or later.