GHSA-72cm-7236-h43r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-72cm-7236-h43r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-72cm-7236-h43r/GHSA-72cm-7236-h43r.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-72cm-7236-h43r
- Aliases
-
- CVE-2025-58759
- Published
- 2025-09-09T21:01:44Z
- Modified
- 2025-09-10T21:39:05.548008Z
- Severity
-
- 5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- TinyEnv: Inline comments not stripped properly in .env values
- Details
-
Impact
TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where variables contain unintended characters (including # or comment text). Applications depending on strict environment values may expose logic errors, insecure defaults, or failed authentication.
Patches
Fixed in v1.0.11. Users should upgrade to the latest patched version.
Workarounds
As a temporary workaround, avoid using inline comments in .env files, or sanitize loaded values manually.
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-09-09T20:15:49Z", "github_reviewed_at": "2025-09-09T21:01:44Z", "cwe_ids": [ "CWE-20" ], "severity": "MODERATE" }- References
Affected packages
Packagist / datahihi1/tiny-env
Package
- Name
- datahihi1/tiny-env
- Purl
- pkg:composer/datahihi1/tiny-env