Is Pelican safe from CVE-2025-49132? #361

New Issue

OVERLORD · 2026-02-04T17:44:37+03:00

OVERLORD commented

2026-02-04 17:44:37 +03:00

Originally created by @marpisco on GitHub (Jun 18, 2025).

Currently, CVE-2025-49132 (which isn't yet, at the time of writing this, public) affects Pterodactyl Panel, which is what Pelican is based out of. Would this vulnerability affect Pelican Panel?

A patch has been released by Pterodactyl here: 24c82b0e33.patch

It appears to affect LocaleRequest and LocaleController from Pterodactyl, which do not appear to be apart of Pelicans code.

Originally created by @marpisco on GitHub (Jun 18, 2025). Currently, CVE-2025-49132 (which isn't yet, at the time of writing this, public) affects Pterodactyl Panel, which is what Pelican is based out of. Would this vulnerability affect Pelican Panel? A patch has been released by Pterodactyl here: https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0.patch It appears to affect LocaleRequest and LocaleController from Pterodactyl, which do not appear to be apart of Pelicans code.

OVERLORD closed this issue

2026-02-04 17:44:41 +03:00

OVERLORD commented

2026-02-04 17:44:48 +03:00

@rmartinoscar commented on GitHub (Jun 18, 2025):

The security vulnerability patched in Pterodactyl 1.11.11 does not affect Pelican! There is no action required when using the latest version of Pelican.

@rmartinoscar commented on GitHub (Jun 18, 2025): The security vulnerability patched in Pterodactyl 1.11.11 does **not** affect Pelican! There is no action required when using the latest version of Pelican.

OVERLORD referenced this issue

2026-02-04 18:45:06 +03:00

[PR #361] [MERGED] Refactor api key permissions #712

Sign in to join this conversation.

Branches Tags

main

charles/filament-v5

boy132/backup-hosts

release/v1.0.0-beta33

lance/encodings

release/v1.0.0-beta32

lance/2069

lance/1228

lance/2026

lance/1022

lance/2132

lance/1585

lance/769

lance/2163

lance/1769

lance/2077

shift-ci-v12.50.0

charles/spotlight

charles/ex-im-servers

auto-claude/022-docker-image-links-plugin-dir-wrong

auto-claude/022-docker-image-links-plugin-dir-wrong-clean

release/v1.0.0-beta31

auto-claude/005-run-unit-tests-in-parallel

charles/new-activitylog

lance/1742

release/v1.0.0-beta30

release/v1.0.0-beta29

release/v1.0.0-beta28

release/v1.0.0-beta27

release/v1.0.0-beta26

chore/shiftWorkflow

vehikl/make-webhooks-normalized

feature/1051-replace-fractal-with-laravel-data

release/v1.0.0-beta25

release/v1.0.0-beta24

release/v1.0.0-beta23

release/v1.0.0-beta22

lance/cloud

release/v1.0.0-beta21

release/v1.0.0-beta20

release/v1.0.0-beta19

release/v1.0.0-beta18

release/v1.0.0-beta17

release/v1.0.0-beta16

release/v1.0.0-beta15

release/v1.0.0-beta14

release/v1.0.0-beta13

release/v1.0.0-beta11

issue/68

release/v1.0.0-beta10

release/v1.0.0-beta9

release/v1.0.0-beta8

release/v1.0.0-beta7

release/v1.0.0-beta6

release/v1.0.0-beta5

release/v1.0.0-beta4

release/v1.0.0-beta3

release/v1.0.0-beta2

release/v1.0.0-beta1

3.x

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/panel#361