TinyEnv: Inline comments not stripped properly in .env values

5.1 / 10

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

TinyEnv is an environment variable loader for PHP applications. In versions 1.0.9 and 1.0.10, TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where variables contain unintended characters (including # or comment text). Applications depending on strict environment values may expose logic errors, insecure defaults, or failed authentication. The issue is fixed in v1.0.11. Users should upgrade to the latest patched version. As a temporary workaround, avoid using inline comments in .env files, or sanitize loaded values manually.

Basic Information

ID CVE-2025-58759

Source GitHub_M

Published Sep 9, 2025 at 19:52

Affected Product

Vendor datahihi1

Product tiny-env

Version >= 1.0.9, < 1.0.11

Affected Versions datahihi1 tiny-env >= 1.0.9, < 1.0.11

CWE Classification

CWE-20

References

github.com /datahihi1/tiny-env/security/advisories/GHSA-72cm-7236-h43r

{
    "lastseen": "",
    "description": "TinyEnv is an environment variable loader for PHP applications. In versions 1.0.9 and 1.0.10, TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where variables contain unintended characters (including # or comment text). Applications depending on strict environment values may expose logic errors, insecure defaults, or failed authentication. The issue is fixed in v1.0.11. Users should upgrade to the latest patched version. As a temporary workaround, avoid using inline comments in .env files, or sanitize loaded values manually.",
    "published": "2025-09-09T19:52:39.014Z",
    "modified": "2025-09-09T19:52:39.014Z",
    "type": "cve",
    "title": "TinyEnv: Inline comments not stripped properly in .env values",
    "source": "GitHub_M",
    "references": "https://github.com/datahihi1/tiny-env/security/advisories/GHSA-72cm-7236-h43r",
    "id": "CVE-2025-58759",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "datahihi1 tiny-env >= 1.0.9, < 1.0.11",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "tiny-env",
    "version": ">= 1.0.9, < 1.0.11",
    "vendor": "datahihi1",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

TinyEnv: Inline comments not stripped properly in .env values_CVE-2025-58759