Command Injection
Description
All versions of spritesheet-js are vulnerable to command injection via its dependency platform-command, allowing arbitrary command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
All versions of spritesheet-js are vulnerable to command injection via its dependency platform-command, allowing arbitrary command execution.
Vulnerability
The spritesheet-js package is vulnerable to command injection due to its dependency on the platform-command package [1]. The injection point is located at line 32 in lib/generator.js, which is triggered via the main entry point of the package [2][3].
Exploitability
An attacker can exploit this vulnerability by providing crafted input to the spritesheet-js command-line tool, for example via the scale option. This can be done without authentication, as the tool is typically run locally or in automated pipelines [3]. A proof-of-concept demonstrates that passing a value containing command separators (e.g., &) leads to arbitrary command execution [3].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the host system with the privileges of the user running spritesheet-js [3]. This can lead to data loss, privilege escalation, or further compromise.
Mitigation
As of the latest advisory, there is no fixed version of spritesheet-js [3]. The only mitigation is to avoid using the package or to carefully sanitize inputs if absolutely necessary. The vulnerability has a CVSS base score of 9.8 (Critical) [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
spritesheet-jsnpm | <= 1.2.6 | — |
Affected products
2- spritesheet-js/spritesheet-jsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-333x-qr3v-g4xxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7782ghsaADVISORY
- github.com/krzysztof-o/spritesheet.js/blob/master/lib/generator.jsghsaWEB
- github.com/krzysztof-o/spritesheet.js/blob/master/lib/generator.js%23L32mitrex_refsource_MISC
- snyk.io/vuln/SNYK-JS-SPRITESHEETJS-1048333ghsax_refsource_MISCWEB
- www.npmjs.com/package/spritesheet-jsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.