CVE-2025-69199
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu. Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings. Version 1.12.0 patches the issue.
EPSS 0.08% · 23.8th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| pterodactyl | wings | 0, 0 |
| github.com | pterodactyl/wings | 0, 0 |
| pterodactyl | panel | *, < 1.12.0 |
Timeline
- Jan 19, 2026 CVE Published
- Jan 20, 2026 EPSS Score
- Jan 23, 2026 EPSS Score
- Jan 25, 2026 EPSS Score
- Jan 28, 2026 EPSS Score
- Jan 31, 2026 EPSS Score
- Jan 31, 2026 Security Advisory
- Feb 2, 2026 CVE Updated
- Feb 3, 2026 EPSS Score
- Feb 5, 2026 EPSS Score
- Feb 8, 2026 EPSS Score
- Feb 11, 2026 EPSS Score
References
- https://github.com/pterodactyl/panel/security/advisories/GHSA-8w7m-w749-rx98 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-69199 advisory
- https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607 url
- https://github.com/pterodactyl/panel package
- https://github.com/pterodactyl/panel/releases/tag/v1.12.0 url