CVE-2026-25235
BaseFortify
Publication date: 2026-02-03
Last updated on: 2026-02-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pear | pearweb | to 1.33.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-337 | A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25235 is a high-severity vulnerability in the PEAR framework affecting versions prior to 1.33.0. The issue is in the _makeSalt() function of the file include/election/pear-election-accountrequest.php, which generates verification hashes for election account requests.
This function uses the MD5 hashing algorithm on predictable inputs such as the username and microtime(), resulting in verification tokens that attackers can guess within a feasible time window.
Because the pseudo-random number generator seed is predictable, attackers can potentially guess these verification tokens and verify election account requests without authorization, effectively bypassing security controls.
How can this vulnerability impact me? :
This vulnerability allows attackers to guess verification tokens and verify election account requests without proper authorization.
As a result, unauthorized users could potentially manipulate or interfere with election-related processes within the PEAR framework, leading to compromised integrity of election account verifications.
This could undermine trust in the system, allow fraudulent actions, and cause significant security and operational impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves predictable verification hashes generated by the _makeSalt() function in the pear-election-accountrequest.php file, which uses MD5 hashing on predictable inputs such as username and microtime().'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you should check the version of the PEAR pearweb package installed and verify if it is prior to version 1.33.0.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to the source code, you can also inspect the presence of the vulnerable _makeSalt() function in the file include/election/pear-election-accountrequest.php.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerable version or code presence include:'}, {'type': 'list_item', 'content': 'Check the installed version of pearweb (example): `pear list | grep pearweb` or check the version in your package manager.'}, {'type': 'list_item', 'content': "Search for the vulnerable file and function: `grep -r '_makeSalt' /path/to/pearweb/include/election/`"}, {'type': 'list_item', 'content': 'Review the code in pear-election-accountrequest.php for use of MD5 hashing on predictable inputs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the PEAR pearweb package to version 1.33.0 or later, where this vulnerability has been patched.
If upgrading immediately is not possible, consider restricting access to the vulnerable functionality to trusted users only, to reduce the risk of unauthorized verification token guessing.
Additionally, review and modify the code to replace the predictable MD5-based verification token generation with a more secure, cryptographically strong random token generation method.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know