CVE-2025-58758: 
PHP vulnerability analysis and mitigation

TinyEnv, an environment variable loader for PHP applications, was found to have a security vulnerability (CVE-2025-58758) discovered on September 9, 2025. The vulnerability affects versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10 of the software. The issue stems from TinyEnv not requiring the .env file to exist when loading environment variables (GitHub Advisory).

The vulnerability is classified as CWE-703 (Improper Check or Handling of Exceptional Conditions). It has been assigned a CVSS v3.1 base score of 5.1 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. This indicates a local attack vector, low attack complexity, no privileges required, no user interaction needed, unchanged scope, and low impact on both confidentiality and integrity with no impact on availability (GitHub Advisory).

The vulnerability could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations. This could result in applications running with unintended settings, potentially exposing security weaknesses (GitHub Advisory).

The vulnerability has been fixed in version 1.0.11. Users are advised to upgrade to version 1.0.11 or later. As a temporary workaround, users can manually verify the existence of the .env file before initializing TinyEnv by implementing a file existence check (GitHub Advisory, GitHub Commit).