x/vulndb: potential Go vuln in github.com/pterodactyl/wings: GHSA-8c39-xppg-479c #4283
Description
Advisory GHSA-8c39-xppg-479c references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/pterodactyl/wings |
Description:
Summary
Pterodactyl does not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked.
Details
When a user opens a connection to a server using the Wings SFTP server instance the permissions are checked and returned from the authentication API call made to the Panel. However, credentials are not checked again after the initial handshake. Thus, if a user is remove...
References:
- ADVISORY: GHSA-8c39-xppg-479c
- ADVISORY: GHSA-8c39-xppg-479c
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-68954
- FIX: pterodactyl/panel@2bd9d8b
- WEB: https://github.com/pterodactyl/panel/releases/tag/v1.12.0
Cross references:
- github.com/pterodactyl/wings appears in 8 other report(s):
- data/reports/GO-2022-0389.yaml (x/vulndb: potential Go vuln in github.com/pterodactyl/wings: GHSA-6rg3-8h8x-5xfv #389)
- data/reports/GO-2022-0919.yaml (x/vulndb: potential Go vuln in github.com/pterodactyl/wings: CVE-2021-32699, GHSA-jj6m-r8jc-2gp7 #919)
- data/reports/GO-2023-1542.yaml (x/vulndb: potential Go vuln in github.com/pterodactyl/wings: GHSA-p8r3-83r8-jwj5 #1542)
- data/reports/GO-2023-1555.yaml (x/vulndb: potential Go vuln in github.com/pterodactyl/wings: CVE-2023-25168 #1555)
- data/reports/GO-2023-1768.yaml (x/vulndb: potential Go vuln in github.com/pterodactyl/wings: CVE-2023-32080 #1768)
- data/reports/GO-2024-2642.yaml (x/vulndb: potential Go vuln in github.com/pterodactyl/wings: GHSA-494h-9924-xww9 #2642)
- data/reports/GO-2024-2814.yaml (x/vulndb: potential Go vuln in github.com/pterodactyl/wings: CVE-2024-34066 #2814)
- data/reports/GO-2024-2815.yaml (x/vulndb: potential Go vuln in github.com/pterodactyl/wings: CVE-2024-34068 #2815)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/pterodactyl/wings
versions:
- fixed: 1.12.0
vulnerable_at: 1.11.13
summary: |-
Pterodactyl does not revoke SFTP access when server is deleted or permissions
reduced in github.com/pterodactyl/wings
cves:
- CVE-2025-68954
ghsas:
- GHSA-8c39-xppg-479c
references:
- advisory: https://github.com/advisories/GHSA-8c39-xppg-479c
- advisory: https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-68954
- fix: https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5
- web: https://github.com/pterodactyl/panel/releases/tag/v1.12.0
source:
id: GHSA-8c39-xppg-479c
created: 2026-01-06T18:01:01.588740906Z
review_status: UNREVIEWED