CVE-2022-29256
published 2022-05-25CVE-2022-29256: sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install`…
PriorityP431medium6.7CVSS 3.1
AVLACLPRHUINSUCHIHAH
EPSS
0.37%
28.8th percentile
sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code16 | sharp | >= 0 < 0.30.5 | 0.30.5 |
| lovell | sharp | < 0.30.5 | 0.30.5 |
| sharp_project | sharp | < 0.30.5 | 0.30.5 |
CVSS provenance
nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
sharp vulnerable to Command Injection in post-installation over build environment
osv·2022-06-01
CVE-2022-29256 [MEDIUM] sharp vulnerable to Command Injection in post-installation over build environment
sharp vulnerable to Command Injection in post-installation over build environment
There's a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5.
This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. However, out of an abundance of caution, I've created this advisory.
If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time.
I've used the Common Vulnerability Scoring System (CVSS) calculator to determine the maximum possible impact, which s
GHSA
sharp vulnerable to Command Injection in post-installation over build environment
ghsa·2022-06-01
CVE-2022-29256 [MEDIUM] CWE-77 sharp vulnerable to Command Injection in post-installation over build environment
sharp vulnerable to Command Injection in post-installation over build environment
There's a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5.
This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. However, out of an abundance of caution, I've created this advisory.
If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time.
I've used the Common Vulnerability Scoring System (CVSS) calculator to determine the maximum possible impact, which s
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0chttps://github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5https://github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0chttps://github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5
2022-05-25
Published