CVE-2026-25235 – This vulnerability in PEAR (PHP Extension and A... (How to Fix)

📋 TL;DR

This vulnerability in PEAR (PHP Extension and Application Repository) allows attackers to guess verification tokens due to predictable hashes, potentially enabling unauthorized verification of election account requests. It affects PEAR installations before version 1.33.0. The issue impacts systems using PEAR's verification functionality.

💻 Affected Systems

Products:

PEAR (PHP Extension and Application Repository)

Versions: All versions prior to 1.33.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects PEAR installations with verification functionality enabled, particularly election account verification features.

📦 What is this software?

Pearweb by Pear

View all CVEs affecting Pearweb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could verify unauthorized election account requests, potentially gaining administrative access to PEAR systems or manipulating package distribution.

🟠

Likely Case

Unauthorized verification of user accounts or requests, leading to privilege escalation or account takeover in PEAR-managed systems.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though verification bypass remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires understanding of PEAR's verification system but uses predictable hash patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.33.0

Vendor Advisory: https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf

Restart Required: No

Instructions:

1. Update PEAR to version 1.33.0 or later using: pear upgrade pear
2. Verify update with: pear version
3. Clear any cached verification tokens or sessions.

🔧 Temporary Workarounds

Disable vulnerable verification endpoints

all

Temporarily disable election account verification functionality until patching

# Modify PEAR configuration to disable verification endpoints
# Location varies by installation

🧯 If You Can't Patch

Implement rate limiting on verification endpoints to prevent brute-force attacks
Add additional authentication factors for verification processes

🔍 How to Verify

Check if Vulnerable:

Check PEAR version with: pear version | grep -i pear

Check Version:

pear version

Verify Fix Applied:

Confirm version is 1.33.0 or higher with: pear version

📡 Detection & Monitoring

Log Indicators:

Multiple failed verification attempts from single IP
Successful verifications without proper authentication flow

Network Indicators:

Unusual patterns of requests to verification endpoints
Requests with predictable token patterns

SIEM Query:

source="pear_logs" AND (verification_failure > 10 OR verification_success WITHOUT auth_flow)

📊 Metadata

CVE ID: CVE-2026-25235

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-337

EPSS Score: 0.04% exploit probability (12.8th percentile)

Published: February 3, 2026

Last Updated: February 5, 2026

🔗 References

https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25235, you might also want to check these: