Headline
GHSA-3j7m-5g4q-gfpc: TinyEnv: Missing .env file not required — may cause unexpected behavior
Impact
TinyEnv did not require the .env file to exist when loading environment variables.
This could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations.
Affected versions:
- 1.0.1 → 1.0.2
- 1.0.9 → 1.0.10
Patches
The issue has been fixed in version 1.0.11.
All users should upgrade to 1.0.11 or later.
Workarounds
As a workaround, users can manually verify the existence of the .env file before initializing TinyEnv, for example:
if (!file_exists(__DIR__ . '/.env')) {
throw new RuntimeException('.env file is missing!');
}- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-58758
TinyEnv: Missing .env file not required — may cause unexpected behavior
Moderate severity GitHub Reviewed Published Sep 8, 2025 in datahihi1/tiny-env • Updated Sep 9, 2025
Package
composer datahihi1/tiny-env (Composer)
Affected versions
< 1.0.3
>= 1.0.9, < 1.0.11
Patched versions
1.0.3
1.0.11
Impact
TinyEnv did not require the .env file to exist when loading environment variables.
This could lead to unexpected behavior where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations.
Affected versions:
- 1.0.1 → 1.0.2
- 1.0.9 → 1.0.10
Patches
The issue has been fixed in version 1.0.11.
All users should upgrade to 1.0.11 or later.
Workarounds
As a workaround, users can manually verify the existence of the .env file before initializing TinyEnv, for example:
if (!file_exists(__DIR__ . ‘/.env’)) { throw new RuntimeException(‘.env file is missing!’); } ### References
- https://github.com/datahihi1/tiny-env/security/advisories/GHSA-3j7m-5g4q-gfpc
- https://github.com/datahihi1/tiny-env/commit/7dc656c58bef6050afb8f7a395e38227e31a66df
Published to the GitHub Advisory Database
Sep 9, 2025