CVE-2025-58758: 
PHP vulnerability analysis and mitigation

TinyEnv, an environment variable loader for PHP applications, was found to have a vulnerability (CVE-2025-58758) in versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10. The vulnerability was disclosed on September 9, 2025, where the application did not require the .env file to exist when loading environment variables (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 5.1 (Medium severity) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The issue stems from improper handling of exceptional conditions (CWE-703), where the application silently ignores missing configuration when the .env file is absent. This behavior occurs locally (AV:L) with low attack complexity (AC:L), requires no privileges (PR:N), and no user interaction (UI:N) (GitHub Advisory).

The vulnerability could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations. The impact affects both confidentiality and integrity at a low level, while availability remains unaffected (GitHub Advisory).

The vulnerability has been fixed in version 1.0.11, and users are advised to upgrade to this version or later. As a temporary workaround, users can manually verify the existence of the .env file before initializing TinyEnv by implementing a file existence check (GitHub Advisory, GitHub Commit).