CVE-2025-58758
5.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
TinyEnv is an environment variable loader for PHP applications. In versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10, TinyEnv did not require the .env file to exist when loading environment variables. This could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations. The issue has been fixed in version 1.0.11. All users should upgrade to 1.0.11 or later. As a workaround, users can manually verify the existence of the .env file before initializing TinyEnv.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| datahihi1 | tiny-env | >= 1.0.1, < 1.0.3 | affected |
| datahihi1 | tiny-env | >= 1.0.9, < 1.0.11 | affected |
Weaknesses
- CWE-703: CWE-703: Improper Check or Handling of Exceptional Conditions
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/datahihi1/tiny-env/security/advisories/GHSA-3j7m-5g4q-gfpc
- https://github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.