CVE-2025-69197: Pterodactyl TOTPs can be reused during validity window
When a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently marked as used in the system allowing an attacker that intercepts that token to then use it in addition to a known username/password during the token validity window.
This vulnerability requires that an attacker already be in possession of a valid username and password combination, and intercept a valid 2FA token (for example, during a screen share). The token must then be provided in addition to the username and password during the limited token validity window. The validity window is ~60 seconds as the Panel allows at most one additional window to the current one, each window being 30 seconds.
References
- github.com/advisories/GHSA-rgmp-4873-r683
- github.com/pterodactyl/panel
- github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf
- github.com/pterodactyl/panel/releases/tag/v1.12.0
- github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683
- nvd.nist.gov/vuln/detail/CVE-2025-69197
Code Behaviors & Features
Detect and mitigate CVE-2025-69197 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →