Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home General
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Pterodactyl Game Panel - CVSS 10.0

PolyAnthiPolyAnthi Member
in General

https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0.patch

Another day, another input validation CVE 😭

Thanked by 8384_cz PineappleM Decicus oloke itzgeo BasToTheMax tentor WyvernCo

Comments

  • 384_cz384_cz Member

    Thank you for this post!

  • PineappleMPineappleM Member

    Thanks for the heads up.

  • BasToTheMaxBasToTheMax Member

    Thanks, I'll watch this thread

  • WyvernCoWyvernCo Member

    Pterodactyl® is a free, open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.

    Project description has aged well... ;)

    Thanked by 1ethanblake87
  • Mik3y326Mik3y326 Member

    Fuck Pterodactyl, use Pelican (though I dont know if the security aspect is better :blush: )

  • ShalaWorksShalaWorks Member
    edited June 2025

    @Mik3y326 said:
    Fuck Pterodactyl, use Pelican (though I dont know if the security aspect is better :blush: )

    Looks like pterodactyl with extra steps

    Thanked by 2itzgeo ethanblake87
  • Kevinf100Kevinf100 Member
    edited June 2025

    @ShalaWorks said:

    @Mik3y326 said:
    Fuck Pterodactyl, use Pelican (though I dont know if the security aspect is better :blush: )

    Looks like pterodactyl with extra steps

    Well yeah, it's a team that left Pterodactyl. And thank fuck they did, because I like Pelican better than Pterodactyl. They have better features. They also where not hit by this problem.
    https://pelican.dev/docs/

    Who is Pelican?

    In the realm of technology and hosting services, bold pioneers left the constraints of Pterodactyl to forge their own path.

    United by a shared vision and a relentless pursuit of excellence, They came together to form Pelican—a beacon of innovation and reliability.

    Together, they form the heart and soul of Pelican—a company defined not only by its technological prowess but also by its unwavering dedication to customer satisfaction.

    With innovation as their compass and collaboration as their strength, Pelican soars to new heights, shaping the future of server management with each triumphant flight.

  • therawtheraw Member
    edited June 2025

    @Mik3y326 said:
    Fuck Pterodactyl, use Pelican (though I dont know if the security aspect is better :blush: )

    created by same brains and source pretty much makes it the same thing, eventually there will be too much code to handle they'll get bored and create Penguin panel next.

    Thanked by 1itzgeo
  • PolyAnthiPolyAnthi Member

    https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843

    Looking at the patch, I genuinely do not see how someone can remotely execute arbitrary code. Makes no sense.

  • MikeAMikeA Member, Patron Provider

    @PolyAnthi said:
    https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843

    Looking at the patch, I genuinely do not see how someone can remotely execute arbitrary code. Makes no sense.

    I don't know so I fed it into Claude Opus and it pointed out the exact code pre-patch as a RCE risk due to it not sanitizing/validating data, so it could be used for RCE/path traversal/file inclusion.

  • AdvinAdvin Member, Host Rep
    edited June 2025

    @MikeA said:

    @PolyAnthi said:
    https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843

    Looking at the patch, I genuinely do not see how someone can remotely execute arbitrary code. Makes no sense.

    I don't know so I fed it into Claude Opus and it pointed out the exact code pre-patch as a RCE risk due to it not sanitizing/validating data, so it could be used for RCE/path traversal/file inclusion.

    I took a look at it when the announcement came out. Yes, exploits like these can be used for an RCE. However, there's nothing really apparent in the Pterodactyl codebase that would allow this to result in an RCE.

Sign In or Register to comment.