Pterodactyl Improper Resource Locking Vulnerability Allows Excessive Resource Creation

A vulnerability in Pterodactyl prior to version 1.12.0 allows for the creation of resources such as databases, port allocations, and backups beyond the allocated limits for individual servers. This issue arises from the application's validation process, which occurs early in the request cycle and fails to lock resources while they are being processed. As a result, a malicious user can send a high volume of simultaneous requests that bypass the resource limits, leading to excessive consumption of server resources. The vulnerability can disrupt resource availability for other users and may cause a server to quickly exhaust its allocated resources or backup space.

Impact

Exploitation of this vulnerability can lead to resource denial for other users and excessive consumption of node allocations or backup space, causing potential disruptions in service.

Remediation

Users can upgrade to Pterodactyl version 1.12.0 or later to address this vulnerability.