~/home/news/critical-unauthenticated-sql-2026-02-04
newsWednesday, February 4, 20268 min read👁 13 views

Critical Unauthenticated SQL Injection in PEAR (CVE-2026-25241) Threatens PHP Ecosystem

A critical unauthenticated SQL injection (CVE-2026-25241) has been discovered in PEAR versions before 1.33.0 via the /get/<package>/<version> endpoint. Remote attackers can run arbitrary SQL, leading to full database compromise and possible server takeover. Immediate upgrade to PEAR 1.33.0 or strict network segmentation is required.

PEARSQL InjectionCVE-2026-25241PHP Security

Overview/Introduction

On February 3, 2026, the National Vulnerability Database (NVD) published a critical flaw affecting the PHP Extension and Application Repository (PEAR) package manager. Identified as CVE-2026-25241, the vulnerability is an unauthenticated SQL injection (SQLi) residing in the /get/<package>/<version> endpoint of PEAR servers. Because the flaw can be triggered without any authentication, an attacker on the network can inject malicious SQL payloads, potentially reading, modifying or deleting any data stored in the PEAR backend database and, in worst-case scenarios, achieving full server compromise.

Technical Details

The vulnerable code path processes the package and version URL parameters and concatenates them directly into an SQL query that retrieves package metadata. No input sanitisation or prepared statements are used, exposing the classic CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) flaw.

  • CVE Identifier: CVE-2026-25241
  • Vendor: PEAR (PHP Extension and Application Repository)
  • Affected Versions: PEAR < 1.33.0 (all prior releases up to 1.32.x)
  • Vulnerable Endpoint: GET /get/<package>/<version>
  • Attack Vector: Network (AV:N), Remote, No Authentication (PR:N), No User Interaction (UI:N)
  • Complexity: Low (AC:L)
  • CVSS v4.0 Base Score: 9.3 (Critical)
  • CVSS Vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Exploitation requires merely constructing a crafted version value containing SQL syntax (e.g., 1.0.0'); DROP TABLE packages;--). The server then executes the injected statement against its MySQL or PostgreSQL backend. Because the endpoint is typically exposed to the public for package retrieval, the attack surface is broad.

Impact Analysis

The impact of a successful exploit is severe across three CIA dimensions:

  • Confidentiality (H): Attackers can dump the entire PEAR database, exposing internal package metadata, developer credentials, and any custom data stored alongside packages.
  • Integrity (H): Malicious SQL can alter package versions, inject back-doors into package manifests, or delete records, corrupting the repository’s trust chain.
  • Availability (H): By issuing DROP TABLE or DELETE commands, an attacker can render the repository unusable, causing denial of service for any downstream PHP applications that rely on PEAR for updates.

Because many legacy PHP applications still depend on PEAR for dependency management, a compromised repository can become a supply-chain attack vector. An attacker who gains write access to the package index could publish malicious versions of widely-used libraries, leading to remote code execution on any system that automatically updates from the compromised repository.

Timeline of Events

  • Feb 3, 2026 19:16 UTC - NVD publishes initial CVE entry for CVE-2026-25241.
  • Feb 3, 2026 19:20 UTC - Feedly reports the first public article referencing the vulnerability.
  • Feb 3, 2026 19:22 UTC - CVSS base score of 9.3 (Critical) assigned.
  • Feb 3, 2026 19:52 UTC - Additional analysis published, confirming low attack complexity and network-only vector.
  • Feb 4, 2026 - PEAR project releases version 1.33.0 containing the fix.

Mitigation/Recommendations

Given the critical rating, remediation should be treated as an emergency. The following steps are recommended:

  1. Upgrade Immediately: Deploy PEAR 1.33.0 or later on all servers running the package manager. The patch replaces the vulnerable query with a prepared-statement implementation and adds strict type-checking on the version parameter.
  2. Apply Network Controls: If an immediate upgrade is not feasible, restrict access to the /get/* endpoint to trusted IP ranges using firewall rules or reverse-proxy ACLs. Consider placing the PEAR service behind a VPN.
  3. Input Validation: For legacy deployments that cannot be upgraded, wrap the endpoint with a WAF rule that allows only alphanumeric characters, dots, and hyphens in the version segment, rejecting any single-quote or semicolon characters.
  4. Database Hardening: Ensure the PEAR database user has the principle of least privilege - read-only access where possible. Disable the ability to execute DDL statements (e.g., DROP, ALTER) from the application account.
  5. Monitoring & Logging: Enable detailed query logs and set alerts for abnormal SQL patterns such as multiple statements in a single query or unexpected DROP/DELETE commands.
  6. Supply-Chain Review: After patching, verify the integrity of all packages in the repository. Re-sign packages if you employ a signing mechanism.

Real-World Impact

Enterprises that host internal PEAR mirrors for legacy PHP applications are especially at risk. A successful exploit could give an attacker foothold in the internal network, allowing lateral movement to other services that trust the same database credentials. Moreover, public PEAR repositories could be weaponised as a distribution channel for malicious code, affecting any downstream project that pulls packages automatically.

Small-to-medium businesses that rely on outdated PHP stacks often overlook PEAR updates, assuming the package manager is a “set-and-forget” component. This vulnerability demonstrates how even peripheral tooling can become a critical attack surface. Organizations should reassess their asset inventory to include development tooling like PEAR, Composer, and other language-specific package managers.

Expert Opinion

From a strategic standpoint, CVE-2026-25241 underscores two persistent trends in web security:

  • Supply-Chain Vulnerabilities: The PEAR manager is a classic example of a supply-chain component that, if compromised, can affect a broad ecosystem of applications. As the industry shifts focus toward SBOMs and provenance, legacy managers must be brought into the same security hygiene.
  • Legacy Codebases as Attack Vectors: Many organizations still run PHP 5.x/7.x stacks with PEAR integrated for legacy libraries. The lack of modern development practices-such as prepared statements and ORM usage-creates low-complexity attack paths that adversaries love.

My recommendation for security teams is to treat package managers as high-value assets, not just build tools. Regular vulnerability scanning should include these services, and patch management processes must cover them. In the longer term, migrating away from PEAR toward Composer (which benefits from a more active security community) will reduce exposure to similar issues.

In summary, the rapid disclosure and patch release for CVE-2026-25241 are commendable, but the real work begins with swift remediation, tightening of network boundaries, and a strategic move away from legacy dependency managers.