CVE-2022-29256
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-29256
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29256.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-29256
- Aliases
- Published
- 2022-05-25T21:20:12Z
- Modified
- 2025-11-28T03:48:13.228445Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Possible vulnerability at 'npm install' time in sharp if an attacker has control over build environment
- Details
-
sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at
npm installtime when installing versions ofsharpprior to the latest v0.30.5. If an attacker has the ability to set the value of thePKG_CONFIG_PATHenvironment variable in a build environment then they might be able to use this to inject an arbitrary command atnpm installtime. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5. - Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29256.json", "cwe_ids": [ "CWE-77" ] }- References
Affected packages
Git / github.com/lovell/sharp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/lovell/sharp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.10.1
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.12.0
v0.12.1
v0.12.2
v0.13.0
v0.13.1
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.19.0
v0.19.1
v0.2.0
v0.20.0
v0.20.1
v0.20.2
v0.20.3
v0.20.4
v0.20.5
v0.20.6
v0.20.7
v0.20.8
v0.21.0
v0.21.1
v0.21.2
v0.21.3
v0.22.0
v0.22.1
v0.23.0
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.25.2
v0.25.3
v0.25.4
v0.26.0
v0.26.0-alpha1
v0.26.0-alpha2
v0.26.0-beta1
v0.26.1
v0.26.2
v0.26.3
v0.27.0
v0.27.0-beta1
v0.27.1
v0.27.2
v0.28.0
v0.28.0-alpha1
v0.28.0-beta1
v0.28.1
v0.28.2
v0.28.3
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.3.0
v0.30.0
v0.30.1
v0.30.2
v0.30.3
v0.30.4
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.6.1
v0.6.2
v0.7.0
v0.7.1
v0.7.2
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.9.0
v0.9.1
v0.9.2
v0.9.3