CVE-2025-58759

Impact

TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where variables contain unintended characters (including # or comment text). Applications depending on strict environment values may expose logic errors, insecure defaults, or failed authentication.

Patches

Fixed in v1.0.11. Users should upgrade to the latest patched version.

Workarounds

As a temporary workaround, avoid using inline comments in .env files, or sanitize loaded values manually.

Published: Sep 9, 2025
Updated: Sep 10, 2025
CVE: CVE-2025-58759
GHSA: GHSA-72cm-7236-h43r
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
datahihi1 / tiny-env	1.0.9	1.0.11

https://github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521e
https://github.com/datahihi1/tiny-env/security/advisories/GHSA-72cm-7236-h43r

Vulnerability Database

CVE-2025-58759

Impact

Patches

Workarounds

Deep Security Visibility Without the Complexity