Strix
26.1K

CVE-2025-58759

MEDIUMCVSS 6.5/10EPSS 0.19%

Last modified

CVE-2025-58759 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. TinyEnv is an environment variable loader for PHP applications. In versions 1.0.9 and 1.0.10, TinyEnv did not properly strip inline comments inside .env values. EPSS estimates a 0.19% chance of exploitation in the next 30 days.

Description

TinyEnv is an environment variable loader for PHP applications. In versions 1.0.9 and 1.0.10, TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where variables contain unintended characters (including # or comment text). Applications depending on strict environment values may expose logic errors, insecure defaults, or failed authentication. The issue is fixed in v1.0.11. Users should upgrade to the latest patched version. As a temporary workaround, avoid using inline comments in .env files, or sanitize loaded values manually.

Metrics

CVSS 3.1
6.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Probability
0.19%

9.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Datahihi1Tinyenv>= 1.0.9, < 1.0.11

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-58759?
TinyEnv is an environment variable loader for PHP applications. In versions 1.0.9 and 1.0.10, TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where variables contain unintended characters (including # or comment text). Applications depending on strict environment values may expose logic errors, insecure defaults, or failed authentication. The issue is fixed in v1.0.11. Users should upgrade to the latest patched version. As a temporary workaround, avoid using inline comments in .env files, or sanitize loaded values manually.
How severe is CVE-2025-58759?
CVE-2025-58759 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.19% probability of exploitation in the next 30 days.
How do I fix CVE-2025-58759?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-58759?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST