CVE-2025-69199 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the Wings component of the Pterodactyl panel, an open-source game server management platform. Wings acts as the server control plane, managing game server instances via websockets. Prior to version 1.12.0, Wings lacks proper rate limiting and throttling mechanisms on websocket connections. This deficiency allows a malicious actor to establish a large number of websocket connections simultaneously. Once connected, the attacker can request or send massive volumes of data through these sockets without any enforced limits on message size or frequency. This leads to excessive consumption of CPU, memory, and network bandwidth on the host system, potentially causing resource exhaustion and denial of service. The vulnerability does not require user interaction and can be exploited remotely without authentication, increasing its risk profile. The CVSS 4.0 base score is 8.3 (high), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, but with high impact on availability. The vulnerability was publicly disclosed in January 2026, with no known exploits in the wild at the time of publication. The fix is included in Pterodactyl Wings version 1.12.0, which introduces proper rate limiting and message size restrictions on websocket connections to prevent resource exhaustion attacks.

For European organizations, especially those operating game servers or hosting services using the Pterodactyl panel, this vulnerability poses a significant risk of denial of service. An attacker can degrade or completely disrupt server availability by exhausting CPU, memory, and network resources, impacting service continuity and user experience. This can lead to financial losses, reputational damage, and operational disruptions. Organizations relying on Pterodactyl Wings for critical infrastructure or multiplayer gaming platforms may face increased downtime and customer dissatisfaction. Additionally, resource exhaustion could be leveraged as a diversion tactic to mask other malicious activities. The lack of authentication requirement and ease of exploitation increase the likelihood of opportunistic attacks. Given the open-source nature of Pterodactyl, smaller European gaming communities and hosting providers may be particularly vulnerable if they have not applied the patch.

1. Upgrade all Pterodactyl Wings instances to version 1.12.0 or later immediately to apply the official patch that introduces rate limiting and message size restrictions on websocket connections. 2. Implement network-level controls such as firewall rules or Web Application Firewalls (WAFs) to limit the number of simultaneous websocket connections from a single IP address and restrict unusually large data transfers. 3. Monitor websocket traffic patterns for abnormal connection counts or data volumes indicative of abuse. 4. Employ resource usage monitoring and alerting on CPU, memory, and network bandwidth to detect early signs of resource exhaustion. 5. Consider deploying rate limiting proxies or reverse proxies in front of Wings to enforce additional throttling policies. 6. Review and restrict access to Wings servers to trusted networks or VPNs where feasible to reduce exposure. 7. Maintain an incident response plan for denial of service scenarios, including rapid patch deployment and traffic filtering. 8. Regularly audit and update all components of the Pterodactyl panel and associated infrastructure to minimize exposure to known vulnerabilities.