March 2025

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the Pair Framework.

The maintainer, Viames, was very responsive to the report and addressed the issue quickly. Thanks!

https://github.com/viames/pair/releases/tag/2.0.0-beta

The fix was also backported to the earlier branch, with release 1.9.12

Details of the report:

https://gist.github.com/mcdruid/1997e10026833d2d1f3e359d75b5912a

This vulnerability was assigned CVE-2025-2376.