GHSA-3j7m-5g4q-gfpc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3j7m-5g4q-gfpc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-3j7m-5g4q-gfpc/GHSA-3j7m-5g4q-gfpc.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-3j7m-5g4q-gfpc
- Aliases
- Published
- 2025-09-09T20:59:52Z
- Modified
- 2025-09-10T21:36:51.783199Z
- Severity
-
- 5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- TinyEnv: Missing .env file not required — may cause unexpected behavior
- Details
-
Impact
TinyEnv did not require the
.envfile to exist when loading environment variables.
This could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations.Affected versions:
- 1.0.1 → 1.0.2
- 1.0.9 → 1.0.10Patches
The issue has been fixed in version 1.0.11.
All users should upgrade to1.0.11or later.Workarounds
As a workaround, users can manually verify the existence of the
.envfile before initializing TinyEnv, for example:```php if (!file_exists(DIR . '/.env')) { throw new RuntimeException('.env file is missing!'); }
- Database specific
{ "github_reviewed_at": "2025-09-09T20:59:52Z", "cwe_ids": [ "CWE-703" ], "nvd_published_at": "2025-09-09T20:15:49Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/datahihi1/tiny-env/security/advisories/GHSA-3j7m-5g4q-gfpc
- https://nvd.nist.gov/vuln/detail/CVE-2025-58758
- https://github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521e
- https://github.com/datahihi1/tiny-env/commit/7dc656c58bef6050afb8f7a395e38227e31a66df
- https://github.com/datahihi1/tiny-env
Affected packages
Packagist / datahihi1/tiny-env
Package
- Name
- datahihi1/tiny-env
- Purl
- pkg:composer/datahihi1/tiny-env
Packagist / datahihi1/tiny-env
Package
- Name
- datahihi1/tiny-env
- Purl
- pkg:composer/datahihi1/tiny-env