CVE-2025-58759: TinyEnv: Inline comments not stripped properly in .env values

September 9, 2025 (updated September 10, 2025)

TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where variables contain unintended characters (including # or comment text). Applications depending on strict environment values may expose logic errors, insecure defaults, or failed authentication.

References

github.com/advisories/GHSA-72cm-7236-h43r
github.com/datahihi1/tiny-env
github.com/datahihi1/tiny-env/commit/69b7b885e6cfbf07f470fb3512360e0caa95521e
github.com/datahihi1/tiny-env/security/advisories/GHSA-72cm-7236-h43r
nvd.nist.gov/vuln/detail/CVE-2025-58759

Code Behaviors & Features

Detect and mitigate CVE-2025-58759 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →