CVE-2026-25241
📋 TL;DR
This CVE describes an unauthenticated SQL injection vulnerability in PEAR's package retrieval endpoint. Attackers can execute arbitrary SQL commands by sending specially crafted package version parameters to the /get/<package>/<version> endpoint. All PEAR installations prior to version 1.33.0 are affected.
💻 Affected Systems
- PEAR (PHP Extension and Application Repository)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, and potential remote code execution via database functions.
Likely Case
Database information disclosure, data manipulation, and potential privilege escalation.
If Mitigated
Limited impact with proper input validation and database permissions, but still a serious security issue.
🎯 Exploit Status
SQL injection vulnerabilities are typically easy to exploit with readily available tools, and this one requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.33.0
Vendor Advisory: https://github.com/pear/pearweb/security/advisories/GHSA-63fv-vpq5-gv8p
Restart Required: No
Instructions:
1. Update PEAR to version 1.33.0 or later using pear upgrade pear 2. Verify the update completed successfully 3. Test the /get/ endpoint functionality
🔧 Temporary Workarounds
Block vulnerable endpoint
allTemporarily block access to the /get/<package>/<version> endpoint using web server configuration or WAF rules.
# Apache: RewriteRule ^/get/.*$ - [F]
# Nginx: location ~ ^/get/ { return 403; }
Input validation filter
allImplement input validation to reject suspicious package version parameters containing SQL injection patterns.
# Example PHP validation: if (preg_match('/[\'\"\;\-\-]/', $version)) { die('Invalid input'); }
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for the vulnerable endpoint
- Deploy a web application firewall (WAF) with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if PEAR version is below 1.33.0 and if the /get/ endpoint is accessible.Check Version:
pear version | grep 'PEAR Version'Verify Fix Applied:
Verify PEAR version is 1.33.0 or higher and test the /get/ endpoint with safe parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed requests to /get/ endpoint with suspicious parameters
- Database query errors containing SQL injection patterns
Network Indicators:
- HTTP requests to /get/ endpoint with SQL keywords in parameters
- Unusual database traffic patterns from web server
SIEM Query:
source="web_logs" AND uri_path="/get/*" AND (param="*' OR*" OR param="*;--*" OR param="*UNION*" OR param="*SELECT*" OR param="*INSERT*" OR param="*UPDATE*" OR param="*DELETE*")