CVE-2025-58758
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-10-08

Assigner: GitHub, Inc.

Description
TinyEnv is an environment variable loader for PHP applications. In versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10, TinyEnv did not require the `.env` file to exist when loading environment variables. This could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations. The issue has been fixed in version 1.0.11. All users should upgrade to 1.0.11 or later. As a workaround, users can manually verify the existence of the `.env` file before initializing TinyEnv.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-10-08
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58758
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
datahihi1 tinyenv From 1.0.1 (inc) to 1.0.3 (exc)
datahihi1 tinyenv From 1.0.9 (inc) to 1.0.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in TinyEnv versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10 occurs because the package does not require the .env file to exist when loading environment variables. As a result, if the .env file is missing, the application may silently ignore this missing configuration and proceed with potentially insecure default settings or deployment misconfigurations. This improper handling of the missing .env file can lead to unexpected and insecure behavior in PHP applications using TinyEnv. [1]

Impact Analysis

The impact of this vulnerability is that your application might run with missing or default environment configurations without any warning or error. This can lead to insecure defaults being used, which may expose your application to security risks or cause it to behave incorrectly. Since the application does not explicitly check for the presence of the .env file, deployment misconfigurations can occur, potentially compromising confidentiality and integrity of the application environment. [1]

Detection Guidance

This vulnerability can be detected by checking the version of the TinyEnv package used in your PHP application. Versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10 are vulnerable. You can detect the presence of the vulnerable TinyEnv version by running a command to check the installed package version, for example using Composer: `composer show datahihi1/tiny-env` or inspecting your composer.lock file. Additionally, you can check if the application silently proceeds without a .env file by verifying if the .env file exists in the application directory. A manual check command could be: `ls -la /path/to/your/app/.env` to see if the .env file is missing, which could trigger the vulnerability. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the TinyEnv package to version 1.0.11 or later, where the issue is fixed. As a workaround, you can manually verify the existence of the .env file before initializing TinyEnv in your PHP code, for example by adding: `if (!file_exists(__DIR__ . '/.env')) { throw new RuntimeException('.env file is missing!'); }`. This ensures the application explicitly handles the missing configuration file scenario instead of silently ignoring it. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58758. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart