Vulnerability Description
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pterodactyl | Panel | < 1.12.0 |
Related Weaknesses (CWE)
References
- https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8Patch
- https://github.com/pterodactyl/panel/releases/tag/v1.12.0ProductRelease Notes
- https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683Vendor Advisory
FAQ
What is CVE-2025-69197?
CVE-2025-69197 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to ente...
How severe is CVE-2025-69197?
CVE-2025-69197 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-69197?
Check the references section above for vendor advisories and patch information. Affected products include: Pterodactyl Panel.