CVE-2025-58758
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-10-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| datahihi1 | tinyenv | From 1.0.1 (inc) to 1.0.3 (exc) |
| datahihi1 | tinyenv | From 1.0.9 (inc) to 1.0.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in TinyEnv versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10 occurs because the package does not require the .env file to exist when loading environment variables. As a result, if the .env file is missing, the application may silently ignore this missing configuration and proceed with potentially insecure default settings or deployment misconfigurations. This improper handling of the missing .env file can lead to unexpected and insecure behavior in PHP applications using TinyEnv. [1]
How can this vulnerability impact me? :
The impact of this vulnerability is that your application might run with missing or default environment configurations without any warning or error. This can lead to insecure defaults being used, which may expose your application to security risks or cause it to behave incorrectly. Since the application does not explicitly check for the presence of the .env file, deployment misconfigurations can occur, potentially compromising confidentiality and integrity of the application environment. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of the TinyEnv package used in your PHP application. Versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10 are vulnerable. You can detect the presence of the vulnerable TinyEnv version by running a command to check the installed package version, for example using Composer: `composer show datahihi1/tiny-env` or inspecting your composer.lock file. Additionally, you can check if the application silently proceeds without a .env file by verifying if the .env file exists in the application directory. A manual check command could be: `ls -la /path/to/your/app/.env` to see if the .env file is missing, which could trigger the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the TinyEnv package to version 1.0.11 or later, where the issue is fixed. As a workaround, you can manually verify the existence of the .env file before initializing TinyEnv in your PHP code, for example by adding: `if (!file_exists(__DIR__ . '/.env')) { throw new RuntimeException('.env file is missing!'); }`. This ensures the application explicitly handles the missing configuration file scenario instead of silently ignoring it. [1]