CVE-2025-58758

MEDIUM

TinyEnv 1.0.1-1.0.2 1.0.9-1.0.10 - Improper Handling of Missing .env File

Title source: llm

Description

TinyEnv is an environment variable loader for PHP applications. In versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10, TinyEnv did not require the `.env` file to exist when loading environment variables. This could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations. The issue has been fixed in version 1.0.11. All users should upgrade to 1.0.11 or later. As a workaround, users can manually verify the existence of the `.env` file before initializing TinyEnv.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/datahihi1/tiny-env/security/advisories/GHSA-3j7m-5g4q-gfpc

Patch x_refsource_misc

https://github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521e

View Patch ZIP pw:eip

Scores

CVSS v3 5.1

EPSS 0.0017

EPSS Percentile 7.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-703

Status published

Products (2)

datahihi1/tiny-env 0 - 1.0.3Packagist

datahihi1/tinyenv 1.0.1 - 1.0.3

Published Sep 09, 2025

Tracked Since Feb 18, 2026