CVE-2025-69199 Overview
CVE-2025-69199 is a resource exhaustion vulnerability in Wings, the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within Wings lack proper rate limiting and throttling, enabling attackers to launch denial of service attacks against the host system.
The vulnerability allows malicious users to open a large number of WebSocket connections and request excessive data through these sockets, causing network overload and exhausting host system memory and CPU resources. Additionally, there is no limit applied to the total size of messages being sent or received, allowing attackers to open thousands of websocket connections and send massive volumes of information, further overwhelming the host network and system resources.
Critical Impact
Attackers can exhaust system resources through unthrottled WebSocket connections, causing denial of service to game server management infrastructure and potentially affecting all hosted game servers.
Affected Products
- Pterodactyl Wings versions prior to 1.12.0
- Pterodactyl Panel installations using vulnerable Wings versions
- Self-hosted game server management environments running affected Wings
Discovery Timeline
- 2026-01-19 - CVE CVE-2025-69199 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2025-69199
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), a denial of service weakness that occurs when an application does not properly restrict the amount of resources that can be consumed. In the case of Wings, the WebSocket implementation fails to implement essential rate limiting controls, creating two distinct attack surfaces.
The first attack vector involves connection flooding, where an attacker can establish an excessive number of WebSocket connections to the Wings service. Each connection consumes server resources, and without connection limits, the host system's memory and connection handling capacity can be rapidly exhausted.
The second attack vector exploits the lack of message size restrictions. Once WebSocket connections are established, attackers can transmit extremely large payloads through these sockets. The absence of message size validation means the server will attempt to process arbitrarily large messages, leading to memory exhaustion, increased CPU utilization, and network bandwidth saturation.
The network-accessible nature of this vulnerability means that any authenticated user with WebSocket access to the Wings panel can potentially launch these attacks, making proper access controls and monitoring critical for affected installations.
Root Cause
The root cause of CVE-2025-69199 is the absence of rate limiting, connection throttling, and message size validation in the Wings WebSocket implementation. The application failed to implement defensive measures that would restrict:
- The number of concurrent WebSocket connections from a single source
- The rate at which data can be requested through active connections
- The maximum allowable size for individual WebSocket messages
- The aggregate bandwidth consumption across connections
This design oversight allows resource consumption to scale linearly with attacker effort, making denial of service attacks trivially achievable.
Attack Vector
The attack is network-based and requires low-privilege authenticated access to the Pterodactyl Wings service. An attacker can exploit this vulnerability by:
- Establishing multiple WebSocket connections to the Wings control plane
- Initiating data requests across all connections simultaneously to overwhelm network bandwidth
- Sending oversized messages through established connections to exhaust memory and CPU resources
- Sustaining the attack to maintain resource exhaustion and deny service to legitimate users
The vulnerability mechanism centers on the WebSocket handler's failure to implement connection and message rate controls. When a client establishes a WebSocket connection, the server does not track or limit the number of connections from that client. Similarly, when messages are received, there is no validation of message size before processing begins, allowing arbitrarily large payloads to consume memory as they are buffered for processing. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2025-69199
Indicators of Compromise
- Unusually high number of WebSocket connections from single IP addresses or user accounts
- Abnormal memory consumption spikes on Wings server processes
- Network bandwidth saturation with WebSocket traffic patterns
- Elevated CPU utilization correlating with WebSocket activity
- Service degradation or unavailability reports from legitimate Pterodactyl users
Detection Strategies
- Monitor WebSocket connection counts per source IP and alert on thresholds exceeding normal operational baselines
- Implement network traffic analysis to detect abnormal data volumes on Wings service ports
- Configure system resource monitoring to alert on memory and CPU exhaustion events
- Review Wings application logs for connection establishment patterns indicative of abuse
Monitoring Recommendations
- Deploy application-level monitoring for Wings WebSocket endpoints to track connection rates and message volumes
- Establish baseline metrics for normal WebSocket activity and configure anomaly detection
- Integrate Wings host system metrics with SIEM solutions for correlation with authentication events
- Enable network flow logging to capture traffic patterns for forensic analysis
How to Mitigate CVE-2025-69199
Immediate Actions Required
- Upgrade Pterodactyl Wings to version 1.12.0 or later immediately
- Audit current Wings deployments to identify vulnerable versions
- Implement network-level rate limiting on Wings service endpoints as a temporary measure
- Review user access lists and restrict WebSocket access to trusted accounts pending upgrade
- Monitor for signs of active exploitation while patching is in progress
Patch Information
Version 1.12.0 of Pterodactyl Wings addresses this vulnerability by implementing proper rate limiting and throttling mechanisms for WebSocket connections. The patch introduces connection limits, message size restrictions, and bandwidth throttling to prevent resource exhaustion attacks.
Administrators should update to Wings version 1.12.0 or later using their standard update procedures. For detailed patch information, consult the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy with rate limiting capabilities in front of the Wings service to restrict connection rates
- Configure firewall rules to limit the number of connections per source IP to Wings service ports
- Implement network-level bandwidth throttling for WebSocket traffic to prevent saturation attacks
- Restrict Wings WebSocket access to trusted IP ranges or VPN-only access pending upgrade
# Example nginx rate limiting configuration for Wings proxy
# Add to nginx server block proxying Wings WebSocket connections
limit_conn_zone $binary_remote_addr zone=ws_conn:10m;
limit_req_zone $binary_remote_addr zone=ws_req:10m rate=10r/s;
location /api/servers {
limit_conn ws_conn 10;
limit_req zone=ws_req burst=20 nodelay;
proxy_pass http://wings_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
