CVE-2025-58759

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-58759
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58759.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-58759
Aliases
Published
2025-09-09T19:52:39.014Z
Modified
2026-04-10T05:33:00.964640Z
Severity
  • 5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
TinyEnv: Inline comments not stripped properly in .env values
Details

TinyEnv is an environment variable loader for PHP applications. In versions 1.0.9 and 1.0.10, TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where variables contain unintended characters (including # or comment text). Applications depending on strict environment values may expose logic errors, insecure defaults, or failed authentication. The issue is fixed in v1.0.11. Users should upgrade to the latest patched version. As a temporary workaround, avoid using inline comments in .env files, or sanitize loaded values manually.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58759.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ]
}
References

Affected packages

Git / github.com/datahihi1/tiny-env

Affected ranges

Type
GIT
Repo
https://github.com/datahihi1/tiny-env
Events
Introduced
64e077577b75215983a91671248178910eeea133
Fixed
69b7b885e6cfbf07f470fb3512360e0caa95521e

Affected versions

1.*
1.0.10
1.0.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58759.json"