CVE-2025-69199

MEDIUM

Pterodactyl Wings < 1.12.0 - Unauthenticated Uncontrolled Resource Consumption via WebSocket Connections

Title source: llm

Description

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu. Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings. Version 1.12.0 patches the issue.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/pterodactyl/panel/security/advisories/GHSA-8w7m-w749-rx98

Scores

CVSS v3 6.5

EPSS 0.0025

EPSS Percentile 16.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400 CWE-770

Status published

Products (2)

pterodactyl/wings < 1.12.0

pterodactyl/wings 0 - 1.12.0Go

Published Jan 19, 2026

Tracked Since Feb 18, 2026