CVE-2025-58759

TinyEnv: Inline comments not stripped properly in .env values

CVSS 5.1 MEDIUMEPSS 0.2%CWE-20

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

09 set 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

TinyEnv is an environment variable loader for PHP applications. In versions 1.0.9 and 1.0.10, TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where variables contain unintended characters (including # or comment text). Applications depending on strict environment values may expose logic errors, insecure defaults, or failed authentication. The issue is fixed in v1.0.11. Users should upgrade to the latest patched version. As a temporary workaround, avoid using inline comments in .env files, or sanitize loaded values manually.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Produtos afetados

datahihi1 · tiny-env

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/datahihi1/tiny-env/security/advisories/GHSA-72cm-7236-h43r