GHSA-rgmp-4873-r683: Pterodactyl TOTPs can be reused during validity window

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-69197

Pterodactyl TOTPs can be reused during validity window

Moderate severity GitHub Reviewed Published Jan 6, 2026 in pterodactyl/panel • Updated Jan 6, 2026

Package

composer pterodactyl/panel (Composer)

Affected versions

< 1.12.0

Summary

When a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently marked as used in the system allowing an attacker that intercepts that token to then use it in addition to a known username/password during the token validity window.

This vulnerability requires that an attacker already be in possession of a valid username and password combination, and intercept a valid 2FA token (for example, during a screen share). The token must then be provided in addition to the username and password during the limited token validity window. The validity window is ~60 seconds as the Panel allows at most one additional window to the current one, each window being 30 seconds.

References

• GHSA-rgmp-4873-r683
• https://nvd.nist.gov/vuln/detail/CVE-2025-69197
• pterodactyl/panel@032bf07
• https://github.com/pterodactyl/panel/releases/tag/v1.12.0

Published to the GitHub Advisory Database

Jan 6, 2026