CVE-2026-25241: Pear Pearweb SQLi Vulnerability

CVE-2026-25241 Overview

CVE-2026-25241 is an unauthenticated SQL injection vulnerability in PEAR's pearweb component, the framework and distribution system for reusable PHP components. The flaw resides in the /get/<package>/<version> endpoint, where the version path parameter is passed unsanitized into a backend SQL query. Remote attackers can execute arbitrary SQL statements without authentication by crafting a malicious package version value. The issue affects all pearweb versions prior to 1.33.0 and is tracked as [CWE-89]. Maintainers fixed the vulnerability in version 1.33.0.

Critical Impact
Unauthenticated remote attackers can execute arbitrary SQL against the pearweb backend database, exposing package metadata, user records, and credentials hosted by the PEAR distribution service.

Affected Products

PEAR pearweb versions prior to 1.33.0
PHP package distribution services hosting the vulnerable pearweb codebase
Any internal mirror or fork of pearweb that exposes the /get/<package>/<version> endpoint

Discovery Timeline

2026-02-03 - CVE-2026-25241 published to NVD
2026-02-05 - Last updated in NVD database

Technical Details for CVE-2026-25241

Vulnerability Analysis

The vulnerability is an unauthenticated SQL injection in the pearweb HTTP handler that serves package downloads. When a client requests /get/<package>/<version>, the application parses the <version> segment from the URL and incorporates it into a SQL query used to locate the requested release. Because the value is not parameterized or escaped, an attacker can append arbitrary SQL syntax to alter the query's logic.

The endpoint is reachable without authentication, which removes any prerequisite access the attacker would otherwise need. Successful exploitation yields full read access to the underlying database and, depending on the database user's privileges, write access to records that drive package distribution. Compromise of this data path can poison downstream PHP supply chains.

The weakness maps to [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. Details are documented in the PEAR GitHub Security Advisory.

Root Cause

The root cause is direct concatenation of untrusted URL path data into a SQL statement. The version parameter is treated as a trusted identifier and inserted into the query without prepared statements, type validation, or input sanitization.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker issues an HTTP GET request to /get/<package>/<version> with a crafted version string containing SQL metacharacters and clauses. The injected payload executes inside the database session used by pearweb.

No verified proof-of-concept code has been published. The mechanics involve appending SQL operators such as UNION SELECT or boolean tautologies through the URL-encoded version segment to extract or modify database contents. Refer to the PEAR GitHub Security Advisory for vendor-supplied technical detail.

Detection Methods for CVE-2026-25241

Indicators of Compromise

HTTP requests to /get/<package>/<version> containing SQL metacharacters such as single quotes, UNION, SELECT, --, /*, or URL-encoded equivalents (%27, %20UNION%20).
Unusually long or structurally malformed values in the version URL segment.
Web server access logs showing repeated requests against the same package with varying version payloads, consistent with blind SQL injection enumeration.
Database error messages or stack traces emitted in HTTP responses from pearweb endpoints.

Detection Strategies

Deploy web application firewall signatures that inspect path parameters under /get/ for SQL injection patterns, not just query strings or POST bodies.
Enable verbose query logging on the pearweb database and alert on queries that reference the package release table with anomalous syntax.
Correlate web access logs with database audit logs to identify request-to-query mappings that contain attacker-controlled SQL keywords.

Monitoring Recommendations

Monitor outbound traffic from the pearweb host for data exfiltration following suspicious /get/ requests.
Track authentication and privilege changes on the database user account used by pearweb for signs of post-exploitation persistence.
Alert on new or modified rows in package metadata tables that do not correlate with legitimate maintainer activity.

How to Mitigate CVE-2026-25241

Immediate Actions Required

Upgrade pearweb to version 1.33.0 or later on all production, staging, and mirror deployments.
Audit web server and database logs since deployment for evidence of prior exploitation against the /get/<package>/<version> endpoint.
Rotate database credentials and any secrets accessible to the pearweb database account if exploitation cannot be ruled out.
Review package metadata and release records for unauthorized modifications that could indicate supply chain tampering.

Patch Information

The maintainers patched this vulnerability in pearweb version 1.33.0. The fix is documented in the PEAR GitHub Security Advisory GHSA-63fv-vpq5-gv8p. Operators of PEAR mirrors and forks should pull the upstream fix and rebuild their distribution.

Workarounds

Restrict access to the /get/<package>/<version> endpoint via reverse proxy rules until the upgrade is applied, limiting requests to known clients or internal networks.
Deploy a WAF rule that rejects requests where the version path segment contains characters outside the expected version grammar, such as ^[A-Za-z0-9._-]+$.
Apply least-privilege to the database account used by pearweb, removing write and administrative permissions where not required for read-only package serving.

bash

# Example NGINX rule to reject malformed version segments before reaching pearweb
location ~ ^/get/[^/]+/(.+)$ {
    if ($1 !~ ^[A-Za-z0-9._-]+$) {
        return 400;
    }
    proxy_pass http://pearweb_backend;
}