TinyEnv Environment Variable Loader Missing .env File Requirement Vulnerability

A vulnerability exists in TinyEnv, a PHP environment variable loader, in versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10. The issue arises because TinyEnv did not require the .env file to be present when loading environment variables. This oversight could lead to unexpected application behavior, where missing configurations are silently ignored, potentially resulting in insecure defaults or deployment misconfigurations.

Impact

The absence of a required .env file can cause applications to overlook critical configuration settings, leading to unintended behavior. This may create insecure default settings or misconfigurations in the deployment process.

Remediation

Users can upgrade to TinyEnv version 1.0.11 or later, where this issue has been fixed. As a workaround, users can manually check for the existence of the .env file before initializing TinyEnv.