Moderate severityNVD Advisory· Published May 25, 2022· Updated Apr 23, 2025

Possible vulnerability at 'npm install' time in sharp if an attacker has control over build environment

CVE-2022-29256

Description

Sharp prior to v0.30.5 allows arbitrary command injection at npm install time if an attacker controls the PKG_CONFIG_PATH environment variable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sharp prior to v0.30.5 allows arbitrary command injection at npm install time if an attacker controls the PKG_CONFIG_PATH environment variable.

Vulnerability

In sharp versions prior to 0.30.5, the post-install script in lib/libvips.js constructs a shell command by concatenating the PKG_CONFIG_PATH environment variable without sanitization. Specifically, line 68 runs spawnSync(PKG_CONFIG_PATH="${pkgConfigPath()}" pkg-config --modversion vips-cpp, ...). An attacker with control over this environment variable can inject arbitrary commands. This code path is only executed during npm install on non-Windows platforms [1][3].

Exploitation

An attacker must have the ability to set the PKG_CONFIG_PATH environment variable in the build environment (e.g., via a malicious package or compromised CI). The attack is triggered when a user or automated process runs npm install sharp. For example, setting PKG_CONFIG_PATH='"; touch pwned #' leads to command execution during installation [3]. No runtime interaction or user privilege escalation is required beyond the build context.

Impact

Successful exploitation results in arbitrary command execution with the privileges of the user running npm install. This can lead to full compromise of the build environment, including disclosure of credentials, source code, and artifacts. The CVSS v3 base score is 5.9 (Medium) due to high privileges required and user interaction, but real-world impact depends on the build environment's security posture [1][4].

Mitigation

Upgrade sharp to version 0.30.5 or later, released on 23 May 2022, which contains the fix in commit a6aeef6 [4]. No workaround is available for vulnerable versions. Windows users are unaffected. The vendor notes that any attacker with control over environment variables in the build environment poses a larger security issue [1][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sharpnpm	< 0.30.5	0.30.5

Affected products

ghsa-coords
pkg:npm/sharp
Range: < 0.30.5
lovell/sharpv5
Range: < 0.30.5

Patches

a6aeef612be5

Install: pass `PKG_CONFIG_PATH` via env rather than substitution

https://github.com/lovell/sharpLovell FullerMay 23, 2022via ghsa

commit

2 files changed · +13 −2

docs/changelog.md+3 −0 modified

@@ -6,6 +6,9 @@ Requires libvips v8.12.2
 
 ### v0.30.5 - TBD
 
+* Install: pass `PKG_CONFIG_PATH` via env rather than substitution.
+  [@dwisiswant0](https://github.com/dwisiswant0)
+
 * Allow installation of prebuilt libvips binaries from filesystem.
   [#3196](https://github.com/lovell/sharp/pull/3196)
   [@ankurparihar](https://github.com/ankurparihar)

lib/libvips.js+10 −2 modified

@@ -65,7 +65,12 @@ const isRosetta = function () {
 
 const globalLibvipsVersion = function () {
   if (process.platform !== 'win32') {
-    const globalLibvipsVersion = spawnSync(`PKG_CONFIG_PATH="${pkgConfigPath()}" pkg-config --modversion vips-cpp`, spawnSyncOptions).stdout;
+    const globalLibvipsVersion = spawnSync('pkg-config --modversion vips-cpp', {
+      ...spawnSyncOptions,
+      env: {
+        PKG_CONFIG_PATH: pkgConfigPath()
+      }
+    }).stdout;
     /* istanbul ignore next */
     return (globalLibvipsVersion || '').trim();
   } else {
@@ -85,7 +90,10 @@ const removeVendoredLibvips = function () {
 
 const pkgConfigPath = function () {
   if (process.platform !== 'win32') {
-    const brewPkgConfigPath = spawnSync('which brew >/dev/null 2>&1 && eval $(brew --env) && echo $PKG_CONFIG_LIBDIR', spawnSyncOptions).stdout || '';
+    const brewPkgConfigPath = spawnSync(
+      'which brew >/dev/null 2>&1 && brew environment --plain | grep PKG_CONFIG_LIBDIR | cut -d" " -f2',
+      spawnSyncOptions
+    ).stdout || '';
     return [
       brewPkgConfigPath.trim(),
       env.PKG_CONFIG_PATH,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gp95-ppv5-3jc5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-29256ghsaADVISORY
advisory.dw1.io/54ghsaWEB
github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0cghsax_refsource_MISCWEB
github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000