Miggo Logo
Miggo Vulnerability Database
CVE-2025-58758

CVE-2025-58758: TinyEnv: Missing .env file not required — may cause unexpected behavior

5.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-58758
GHSA ID
GHSA-3j7m-5g4q-gfpc
EPSS Score
-
CWE
CWE-703
Published
9/9/2025
Updated
9/9/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
datahihi1/tiny-envcomposer< 1.0.31.0.3
datahihi1/tiny-envcomposer>= 1.0.9, < 1.0.111.0.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the fact that the tiny-env library did not enforce the existence of a .env file. This could lead to applications running with default, and potentially insecure, configurations if the .env file was missing. The analysis of the patch commit 7dc656c58bef6050afb8f7a395e38227e31a66df clearly shows the fix. The loadInternal function in src/TinyEnv.php was modified to track whether a .env file was found and to throw an exception if one was not. The public load function is the entry point for this process, which in turn calls loadInternal. Therefore, both Datahihi1\TinyEnv\TinyEnv::load and Datahihi1\TinyEnv\TinyEnv::loadInternal are identified as the key functions related to this vulnerability. During exploitation (i.e., running the application without a .env file), these functions would be present in the stack trace, making them the primary runtime indicators.

Vulnerable functions

Datahihi1\TinyEnv\TinyEnv::load
src/TinyEnv.php
This is the public-facing method that initiates the loading of the .env file. An attacker can trigger the vulnerability by ensuring no .env file is present, causing the application to proceed with default, potentially insecure configurations. This function calls the vulnerable `loadInternal` function.
Datahihi1\TinyEnv\TinyEnv::loadInternal
src/TinyEnv.php
This function is responsible for finding and loading the .env file. Prior to the patch, it would silently fail if no .env file was found, causing the application to run without the configured environment variables. The patch introduces a check to ensure at least one .env file is found and loaded, throwing an exception if not.

WAF Protection Rules

WAF Rule

### Imp**t Tiny*nv *i* not r*quir* t** `.*nv` *il* to *xist w**n lo**in* *nvironm*nt v*ri**l*s. T*is *oul* l*** to **un*xp**t** ****vior** w**r* t** *ppli**tion sil*ntly i*nor*s missin* *on*i*ur*tion, pot*nti*lly **usin* ins**ur* ****ults or **ploy

Reasoning

T** vuln*r**ility li*s in t** ***t t**t t** `tiny-*nv` li*r*ry *i* not *n*or** t** *xist*n** o* * `.*nv` *il*. T*is *oul* l*** to *ppli**tions runnin* wit* ****ult, *n* pot*nti*lly ins**ur*, *on*i*ur*tions i* t** `.*nv` *il* w*s missin*. T** *n*lysis