Vulnerability Description
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pterodactyl | Panel | < 1.12.0 |
| Pterodactyl | Wings | < 1.12.0 |
Related Weaknesses (CWE)
References
- https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678acPatch
- https://github.com/pterodactyl/panel/releases/tag/v1.12.0ProductRelease Notes
- https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479cVendor Advisory
FAQ
What is CVE-2025-68954?
CVE-2025-68954 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions...
How severe is CVE-2025-68954?
CVE-2025-68954 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-68954?
Check the references section above for vendor advisories and patch information. Affected products include: Pterodactyl Panel, Pterodactyl Wings.