VYPR
← All advisories
Low severityNVD Advisory· Published Oct 25, 2021· Updated Aug 4, 2024

logout CSRF in Pterodactyl Panel

CVE-2021-41176

Description

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. No user details are leaked, nor is any user data affected, this is simply an annoyance at worst. This is fixed in version 1.6.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pterodactyl/panelPackagist
>= 1.0.0, < 1.6.31.6.3

Affected products

1

Patches

1
45999ba4ee1b

(security) use POST for logout rather than GET

https://github.com/pterodactyl/panelDane EverittOct 23, 2021via ghsa
commit
3 files changed · +18 5
  • resources/scripts/components/NavigationBar.tsx+16 3 modified
    @@ -7,6 +7,9 @@ import { ApplicationStore } from '@/state';
 import SearchContainer from '@/components/dashboard/search/SearchContainer';
 import tw, { theme } from 'twin.macro';
 import styled from 'styled-components/macro';
+import http from '@/api/http';
+import SpinnerOverlay from '@/components/elements/SpinnerOverlay';
+import { useState } from 'react';
 
 const Navigation = styled.div`
     ${tw`w-full bg-neutral-900 shadow-md overflow-x-auto`};
@@ -27,7 +30,7 @@ const Navigation = styled.div`
 const RightNavigation = styled.div`
     ${tw`flex h-full items-center justify-center`};
     
-    & > a, & > .navigation-link {
+    & > a, & > button, & > .navigation-link {
         ${tw`flex items-center h-full no-underline text-neutral-300 px-6 cursor-pointer transition-all duration-150`};
         
         &:active, &:hover {
@@ -43,9 +46,19 @@ const RightNavigation = styled.div`
 export default () => {
     const name = useStoreState((state: ApplicationStore) => state.settings.data!.name);
     const rootAdmin = useStoreState((state: ApplicationStore) => state.user.data!.rootAdmin);
+    const [ isLoggingOut, setIsLoggingOut ] = useState(false);
+
+    const onTriggerLogout = () => {
+        setIsLoggingOut(true);
+        http.post('/auth/logout').finally(() => {
+            // @ts-ignore
+            window.location = '/';
+        });
+    };
 
     return (
         <Navigation>
+            <SpinnerOverlay visible={isLoggingOut} />
             <div css={tw`mx-auto w-full flex items-center`} style={{ maxWidth: '1200px', height: '3.5rem' }}>
                 <div id={'logo'}>
                     <Link to={'/'}>
@@ -65,9 +78,9 @@ export default () => {
                         <FontAwesomeIcon icon={faCogs}/>
                     </a>
                     }
-                    <a href={'/auth/logout'}>
+                    <button onClick={onTriggerLogout}>
                         <FontAwesomeIcon icon={faSignOutAlt}/>
-                    </a>
+                    </button>
                 </RightNavigation>
             </div>
         </Navigation>
  • routes/auth.php+1 1 modified
    @@ -48,4 +48,4 @@
 | Endpoint: /auth
 |
 */
-Route::get('/logout', 'LoginController@logout')->name('auth.logout')->middleware('auth');
+Route::post('/logout', 'LoginController@logout')->name('auth.logout')->middleware('auth', 'csrf');
  • SECURITY.md+1 1 modified
    @@ -11,7 +11,7 @@ The following versions of Pterodactyl are receiving active support and maintenan
 
 ## Reporting a Vulnerability
 
-Please reach out directly to any project team member on Discord when reporting a security vulnerability, or you can send an email to `dane [ät] pterodactyl.io`.
+Please reach out directly to any project team member on Discord when reporting a security vulnerability, or you can send an email to `dane@pterodactyl.io`.
 
 We make every effort to respond as soon as possible, although it may take a day or two for us to sync internally and determine the severity of the report and its impact. Please, _do not_ use a public facing channel or GitHub issues to report sensitive security issues.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.