CRITICAL🇵🇱 Wersja polska

CVE-2024-27102

CVSS 9.9v3.1pub. 2024-03-13upd. 2025-01-23

Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. Users are advised to update to version 1.11.9. There are no known workarounds for this vulnerability.

🤖 AI Analysis
How it works

A path traversal flaw (CWE-22) combined with a race condition vulnerability (CWE-362/CWE-363) allows escape from the server's base directory controlled by Wings. An attacker with an allocated and controlled server within a Wings instance can, through a crafted request, read files located outside the sandbox. The vulnerability required complete rewriting of the entire file system handling module, indicating its deep embedding in the application architecture.

Impact

An attacker can read files and directories from the host system outside the designated server isolation area, which may lead to disclosure of sensitive data, including configurations, keys, or data of other system users.

Mitigation & patch

Pterodactyl Wings must be immediately updated to version 1.11.9. The vendor does not provide any workarounds — updating is the only way to eliminate the vulnerability.

Who is affected

Pterodactyl Wings — versions prior to 1.11.9; the vulnerability affects anyone running vulnerable Wings versions with allocated servers

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Pterodactyl Wings

    APP
    Pterodactyl
    < 1.11.9
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2023-32080CRITICAL9.0ten sam produkt

Wings is the server control plane for Pterodactyl Panel. A vulnerability affecting versions prior to 1.7.5 and...

CVE-2023-25168CRITICAL9.6ten sam produkt

Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories re...

CVE-2026-21696HIGH8.3ten sam produkt

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting ...

CVE-2025-69199HIGH8.3ten sam produkt

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to ...

CVE-2025-68954HIGH7.5ten sam produkt

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke acti...