SCA: security update for datahihi1/tiny-env (GHSA-3j7m-5g4q-gfpc)

high Tenable Self-Hosted Container Security Plugin ID 435237

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- TinyEnv is an environment variable loader for PHP applications. In versions 1.0.1, 1.0.2, 1.0.9, and
1.0.10, TinyEnv did not require the `.env` file to exist when loading environment variables. This could
lead to unexpected behavior where the application silently ignores missing configuration, potentially
causing insecure defaults or deployment misconfigurations. The issue has been fixed in version 1.0.11. All
users should upgrade to 1.0.11 or later. As a workaround, users can manually verify the existence of the
`.env` file before initializing TinyEnv. (CVE-2025-58758)

See Also

https://github.com/advisories/GHSA-3j7m-5g4q-gfpc

Plugin Details

Severity: High

ID: 435237

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 9/10/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 57.36

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-58758

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/9/2025

Vulnerability Publication Date: 9/9/2025

Reference Information

CVE: CVE-2025-58758

cwe: CWE-703