Pterodactyl Panel TOTP Token Reuse Vulnerability

A vulnerability in Pterodactyl Panel versions prior to 1.12.0 allows Time-based One-Time Password (TOTP) tokens to be reused within their validity period. When users with two-factor authentication (2FA) enabled sign in, they are prompted to enter a TOTP token. However, once the token is used, it is not properly marked as consumed, enabling an attacker who intercepts the token to use it alongside a known username and password during the token's 60-second validity window. This issue arises because the panel's authentication process does not adequately restrict the use of TOTP tokens after they have been entered, creating a window of opportunity for exploitation.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts by reusing intercepted TOTP tokens, bypassing the intended security of two-factor authentication.

Reproduction

To reproduce this vulnerability, log into a Pterodactyl Panel account with 2FA enabled. During the login process, intercept the TOTP token that is generated and displayed. Once the token is captured, it can be reused within the same validity window (approximately 60 seconds) by entering it along with the username and password, effectively bypassing the one-time use requirement of the TOTP authentication.

Remediation

Users can update to Pterodactyl Panel version 1.12.0 or later, where this vulnerability has been fixed.