CVE-2025-68954: Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
Pterodactyl does not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked.
References
- github.com/advisories/GHSA-8c39-xppg-479c
- github.com/pterodactyl/panel
- github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5
- github.com/pterodactyl/panel/releases/tag/v1.12.0
- github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c
- nvd.nist.gov/vuln/detail/CVE-2025-68954
Code Behaviors & Features
Detect and mitigate CVE-2025-68954 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →