TinyEnv: Inline comments not stripped properly in .env values
Description
TinyEnv is an environment variable loader for PHP applications. In versions 1.0.9 and 1.0.10, TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where variables contain unintended characters (including # or comment text). Applications depending on strict environment values may expose logic errors, insecure defaults, or failed authentication. The issue is fixed in v1.0.11. Users should upgrade to the latest patched version. As a temporary workaround, avoid using inline comments in .env files, or sanitize loaded values manually.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TinyEnv 1.0.9–1.0.10 fails to strip inline comments from .env values, potentially causing misconfiguration or security issues.
Vulnerability
Analysis
TinyEnv, a PHP environment variable loader, in versions 1.0.9 and 1.0.10 does not properly strip inline comments from values in .env files. The parsing logic previously split lines on the first = sign and used the remainder as the value without removing comment text, including any # character and subsequent text [1][3]. This means a line like DB_PASSWORD=secret#insecure would set DB_PASSWORD to secret#insecure instead of secret.
Exploitation
An attacker who can influence the contents of a .env file (e.g., through a separate file write vulnerability or by tricking an administrator into using a crafted file) could inject comment characters or arbitrary text into environment variable values. No authentication is required beyond the ability to modify the .env file. The attack surface is limited to scenarios where .env files are used with inline comments, which is a common practice for documentation [2][4].
Impact
Applications that rely on strict environment variable values may experience logic errors, insecure defaults, or authentication failures. For example, a database password containing a # character could cause connection failures, or a secret key with trailing comment text might be rejected by a validation routine. The vulnerability does not directly enable remote code execution but can lead to misconfiguration that weakens security [1][4].
Mitigation
The issue is fixed in TinyEnv version 1.0.11, which introduces a stripEnvComment method that correctly removes inline comments while respecting quoted strings [3]. Users should upgrade to the latest patched version. As a temporary workaround, avoid using inline comments in .env files, or sanitize loaded values manually [1][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
datahihi1/tiny-envPackagist | >= 1.0.9, < 1.0.11 | 1.0.11 |
Affected products
2- datahihi1/tiny-envv5Range: >= 1.0.9, < 1.0.11
Patches
169b7b885e6cf13.9 Update version 1.0.11: fixed function to remove inline comments in environment variables
3 files changed · +27 −19
demo.php+0 −9 removed@@ -1,9 +0,0 @@ -<?php - -require_once 'src/TinyEnv.php'; -require_once 'src/helper/helpers.php'; - -$env = new \Datahihi1\TinyEnv\TinyEnv(__DIR__, true); -$env->load(); - -print_r(env('USER')); \ No newline at end of file
.env+0 −7 removed@@ -1,7 +0,0 @@ -DB_HOST=localhost -DB_PORT=3306 -DB_URL=${DB_HOST}:${DB_PORT} - -USER_NAME= -USER=${USER_NAME:-guest} # default if unset or empty -ALT_USER=${USER_NAME-guest} # default if unset only \ No newline at end of file
src/TinyEnv.php+27 −3 modified@@ -176,9 +176,10 @@ private function parseAndSetEnvLine(string $line, ?array $allowedKeys = null): v $line = trim($line); if ($line === '' || $line[0] === '#' || strpos($line, '=') === false) return; - - [$key, $value] = explode('=', $line, 2); - $key = trim($key); + $eqPos = strpos($line, '='); + $key = trim(substr($line, 0, $eqPos)); + $value = ltrim(substr($line, $eqPos + 1)); + $value = self::stripEnvComment($value); if ($allowedKeys !== null && !in_array($key, $allowedKeys, true)) return; @@ -224,6 +225,29 @@ function (array $m): string { self::$cache[$key] = $parsed; } + /** + * Remove inline comment (not in quotes) from env value. + * @param string $value + * @return string + */ + private static function stripEnvComment(string $value): string + { + $len = strlen($value); + $inSingle = false; + $inDouble = false; + for ($i = 0; $i < $len; $i++) { + $c = $value[$i]; + if ($c === "'" && !$inDouble) { + $inSingle = !$inSingle; + } elseif ($c === '"' && !$inSingle) { + $inDouble = !$inDouble; + } elseif ($c === '#' && !$inSingle && !$inDouble) { + return rtrim(substr($value, 0, $i)); + } + } + return $value; + } + /** * Load environment variables from a specific .env file, optionally filtering by keys. *
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-72cm-7236-h43rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-58759ghsaADVISORY
- github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521eghsaWEB
- github.com/datahihi1/tiny-env/security/advisories/GHSA-72cm-7236-h43rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.