Moderate severityNVD Advisory· Published Sep 9, 2025· Updated Sep 10, 2025

TinyEnv: Missing .env file not required — may cause unexpected behavior

CVE-2025-58758

Description

TinyEnv is an environment variable loader for PHP applications. In versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10, TinyEnv did not require the .env file to exist when loading environment variables. This could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations. The issue has been fixed in version 1.0.11. All users should upgrade to 1.0.11 or later. As a workaround, users can manually verify the existence of the .env file before initializing TinyEnv.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TinyEnv PHP library silently ignores missing .env files, possibly leading to insecure defaults or deployment misconfigurations.

Vulnerability

Overview

In TinyEnv versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10, the library did not require the .env file to exist when loading environment variables [1]. The loadInternal() method iterated over configured root directories and .env file names but continued silently if no file was found [4]. This means the application could initialize without the expected configuration, potentially using insecure defaults or exposing misconfigured deployment settings [1].

Exploitation and

Impact

The attack surface is limited to scenarios where the .env file is accidentally missing or not deployed alongside the application code. No authentication or network access is required; the vulnerability manifests silently during normal application startup. The impact is that the application may operate with default values or without necessary environment-specific variables, leading to security weaknesses such as exposed credentials, incorrect database settings, or enabled debug modes [1].

Mitigation

The issue has been fixed in version 1.0.11, which now throws an exception when no .env file is found [1][4]. Users should upgrade to 1.0.11 or later. As a workaround, administrators can manually verify the existence of the .env file before initializing TinyEnv [1].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
datahihi1/tiny-envPackagist	< 1.0.3	1.0.3
datahihi1/tiny-envPackagist	>= 1.0.9, < 1.0.11	1.0.11

Affected products

TinyEnv/TinyEnvllm-create
Range: <=1.0.10
datahihi1/tiny-envv5
Range: >= 1.0.1, < 1.0.3

Patches

69b7b885e6cf

13.9 Update version 1.0.11: fixed function to remove inline comments in environment variables

https://github.com/datahihi1/tiny-envdatahihi1Sep 8, 2025via ghsa

commit

3 files changed · +27 −19

demo.php+0 −9 removed

@@ -1,9 +0,0 @@
-<?php
-
-require_once 'src/TinyEnv.php';
-require_once 'src/helper/helpers.php';
-
-$env = new \Datahihi1\TinyEnv\TinyEnv(__DIR__, true);
-$env->load();
-
-print_r(env('USER'));
\ No newline at end of file

.env+0 −7 removed

@@ -1,7 +0,0 @@
-DB_HOST=localhost
-DB_PORT=3306
-DB_URL=${DB_HOST}:${DB_PORT}
-
-USER_NAME=
-USER=${USER_NAME:-guest}   # default if unset or empty
-ALT_USER=${USER_NAME-guest} # default if unset only
\ No newline at end of file

src/TinyEnv.php+27 −3 modified

@@ -176,9 +176,10 @@ private function parseAndSetEnvLine(string $line, ?array $allowedKeys = null): v
         $line = trim($line);
         if ($line === '' || $line[0] === '#' || strpos($line, '=') === false)
             return;
-
-        [$key, $value] = explode('=', $line, 2);
-        $key = trim($key);
+        $eqPos = strpos($line, '=');
+        $key = trim(substr($line, 0, $eqPos));
+        $value = ltrim(substr($line, $eqPos + 1));
+        $value = self::stripEnvComment($value);
 
         if ($allowedKeys !== null && !in_array($key, $allowedKeys, true))
             return;
@@ -224,6 +225,29 @@ function (array $m): string {
         self::$cache[$key] = $parsed;
     }
 
+    /**
+     * Remove inline comment (not in quotes) from env value.
+     * @param string $value
+     * @return string
+     */
+    private static function stripEnvComment(string $value): string
+    {
+        $len = strlen($value);
+        $inSingle = false;
+        $inDouble = false;
+        for ($i = 0; $i < $len; $i++) {
+            $c = $value[$i];
+            if ($c === "'" && !$inDouble) {
+                $inSingle = !$inSingle;
+            } elseif ($c === '"' && !$inSingle) {
+                $inDouble = !$inDouble;
+            } elseif ($c === '#' && !$inSingle && !$inDouble) {
+                return rtrim(substr($value, 0, $i));
+            }
+        }
+        return $value;
+    }
+
     /**
      * Load environment variables from a specific .env file, optionally filtering by keys.
      *

7dc656c58bef

13.8 Re-fixed: require .env file existence in loadInternal()

https://github.com/datahihi1/tiny-envdatahihi1Sep 8, 2025via ghsa

commit

3 files changed · +21 −1

demo.php+9 −0 added

@@ -0,0 +1,9 @@
+<?php
+
+require_once 'src/TinyEnv.php';
+require_once 'src/helper/helpers.php';
+
+$env = new \Datahihi1\TinyEnv\TinyEnv(__DIR__, true);
+$env->load();
+
+print_r(env('USER'));
\ No newline at end of file

.env+7 −0 added

@@ -0,0 +1,7 @@
+DB_HOST=localhost
+DB_PORT=3306
+DB_URL=${DB_HOST}:${DB_PORT}
+
+USER_NAME=
+USER=${USER_NAME:-guest}   # default if unset or empty
+ALT_USER=${USER_NAME-guest} # default if unset only
\ No newline at end of file

src/TinyEnv.php+5 −1 modified

@@ -64,7 +64,6 @@ public function envfiles(array $files): self
     public function load($specificKeys = []): self
     {
         return $this->loadInternal($specificKeys);
-
     }
 
     /**
@@ -79,14 +78,19 @@ protected function loadInternal($specificKeys = [], bool $forceReload = false):
             return $this;
         $specificKeys = (array) $specificKeys;
         $filter = count($specificKeys) > 0 ? $specificKeys : null;
+        $found = false;
         foreach ($this->rootDirs as $dir) {
             foreach ($this->envFiles as $fileName) {
                 $file = $dir . DIRECTORY_SEPARATOR . $fileName;
                 if (is_file($file) && is_readable($file)) {
                     $this->loadEnvFile($file, $filter);
+                    $found = true;
                 }
             }
         }
+        if (!$found) {
+            throw new Exception("No .env file found in any root directory: [" . implode(", ", $this->rootDirs) . "] with files [" . implode(", ", $this->envFiles) . "]");
+        }
         self::$loaded = true;
         return $this;
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3j7m-5g4q-gfpcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-58758ghsaADVISORY
github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521eghsax_refsource_MISCWEB
github.com/datahihi1/tiny-env/commit/7dc656c58bef6050afb8f7a395e38227e31a66dfghsaWEB
github.com/datahihi1/tiny-env/security/advisories/GHSA-3j7m-5g4q-gfpcghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000