CVE-2025-58758

CVSS v3 5.1 MEDIUM

5.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.5 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

T

inyEnv is an environment variable loader for PHP applications. In versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10, TinyEnv did not require the `.env` file to exist when loading environment variables. This could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations. The issue has been fixed in version 1.0.11. All users should upgrade to 1.0.11 or later. As a workaround, users can manually verify the existence of the `.env` file before initializing TinyEnv.

References

Link	Resource
https://github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521e	Patch
https://github.com/datahihi1/tiny-env/security/advisories/GHSA-3j7m-5g4q-gfpc	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:datahihi1:tinyenv::::::::
	cpe:2.3:a:datahihi1:tinyenv::::::::

History

08 Oct 2025, 20:53

Type	Values Removed	Values Added
First Time		Datahihi1 Datahihi1 tinyenv
CPE		cpe:2.3:a:datahihi1:tinyenv::::::::
References	~~() https://github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521e -~~	() https://github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521e - Patch
References	~~() https://github.com/datahihi1/tiny-env/security/advisories/GHSA-3j7m-5g4q-gfpc -~~	() https://github.com/datahihi1/tiny-env/security/advisories/GHSA-3j7m-5g4q-gfpc - Vendor Advisory

11 Sep 2025, 17:14

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-09 20:15

Updated : 2025-10-08 20:53

NVD link : CVE-2025-58758

Mitre link : CVE-2025-58758

CVE.ORG link : CVE-2025-58758

JSON object : View

Products Affected

tinyenv

CWE

CWE-703

Improper Check or Handling of Exceptional Conditions

{"id": "CVE-2025-58758", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.5}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}]}, "published": "2025-09-09T20:15:49.177", "references": [{"url": "https://github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521e", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/datahihi1/tiny-env/security/advisories/GHSA-3j7m-5g4q-gfpc", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-703"}]}], "descriptions": [{"lang": "en", "value": "TinyEnv is an environment variable loader for PHP applications. In versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10, TinyEnv did not require the `.env` file to exist when loading environment variables. This could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations. The issue has been fixed in version 1.0.11. All users should upgrade to 1.0.11 or later. As a workaround, users can manually verify the existence of the `.env` file before initializing TinyEnv."}], "lastModified": "2025-10-08T20:53:57.603", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:datahihi1:tinyenv:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59163AF1-3CE6-492A-A967-D06854F23799", "versionEndExcluding": "1.0.3", "versionStartIncluding": "1.0.1"}, {"criteria": "cpe:2.3:a:datahihi1:tinyenv:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B552DC02-6409-4631-B4AA-B32D55069A32", "versionEndExcluding": "1.0.11", "versionStartIncluding": "1.0.9"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}