TinyEnv: Missing .env file not required — may cause unexpected...

5.1 / 10

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

TinyEnv is an environment variable loader for PHP applications. In versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10, TinyEnv did not require the `.env` file to exist when loading environment variables. This could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations. The issue has been fixed in version 1.0.11. All users should upgrade to 1.0.11 or later. As a workaround, users can manually verify the existence of the `.env` file before initializing TinyEnv.

Basic Information

ID CVE-2025-58758

Source GitHub_M

Published Sep 9, 2025 at 19:50

Affected Product

Vendor datahihi1

Product tiny-env

Version >= 1.0.1, < 1.0.3

Affected Versions datahihi1 tiny-env >= 1.0.1, < 1.0.3
datahihi1 tiny-env >= 1.0.9, < 1.0.11

CWE Classification

CWE-703

References

{
    "lastseen": "",
    "description": "TinyEnv is an environment variable loader for PHP applications. In versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10, TinyEnv did not require the `.env` file to exist when loading environment variables. This could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations. The issue has been fixed in version 1.0.11. All users should upgrade to 1.0.11 or later. As a workaround, users can manually verify the existence of the `.env` file before initializing TinyEnv.",
    "published": "2025-09-09T19:50:18.518Z",
    "modified": "2025-09-09T19:50:18.518Z",
    "type": "cve",
    "title": "TinyEnv: Missing .env file not required \u2014 may cause unexpected behavior",
    "source": "GitHub_M",
    "references": "https://github.com/datahihi1/tiny-env/security/advisories/GHSA-3j7m-5g4q-gfpc\nhttps://github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521e",
    "id": "CVE-2025-58758",
    "bulletinFamily": "",
    "cwe": [
        "CWE-703"
    ],
    "cvelist": null,
    "sourceData": "datahihi1 tiny-env >= 1.0.1, < 1.0.3\ndatahihi1 tiny-env >= 1.0.9, < 1.0.11",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "tiny-env",
    "version": ">= 1.0.1, < 1.0.3",
    "vendor": "datahihi1",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

TinyEnv: Missing .env file not required — may cause unexpected behavior_CVE-2025-58758