Pterodactyl Panel Unauthenticated Arbitrary Code Execution Vulnerability

A critical vulnerability allowing unauthenticated arbitrary code execution has been identified in Pterodactyl Panel versions prior to 1.11.11. This issue arises in the LocaleController, where insufficient input validation in the '/locales/locale.json' endpoint allows malicious actors to execute arbitrary code. Exploitation of this vulnerability could lead to unauthorized access to the panel's server, exposure of sensitive configuration data, extraction of private database information, and access to files from servers managed by the panel.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Pterodactyl Panel is hosted. This could be used to access the panel's server, read sensitive configuration files, extract private information from the database, and access files from servers managed by the panel.

Remediation

Users are advised to update Pterodactyl Panel to version 1.11.11 or apply the available patch. For those who need to patch their installations in-place, a patch file can be retrieved from the Pterodactyl Panel GitHub repository and applied using 'git apply'.