Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/sharp@0.14.1

Type npm

Namespace

Name sharp

Version 0.14.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.32.6

Latest_non_vulnerable_version 0.32.6

Affected_by_vulnerabilities

url VCID-n45w-tfmt-z3cj

vulnerability_id VCID-n45w-tfmt-z3cj

summary

sharp vulnerability in libwebp dependency CVE-2023-4863
## Overview

sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr.

## Who does this affect?

Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.

## How to resolve this?

### Using prebuilt binaries provided by sharp?

Most people rely on the prebuilt binaries provided by sharp.

Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.

### Using a globally-installed libvips?

Please ensure you are using the latest libwebp 1.3.2.

## Possible workaround

Add the following to your code to prevent sharp from decoding WebP images.
```js
sharp.block({ operation: ["VipsForeignLoadWebp"] });
```

references

reference_url

https://github.com/lovell/sharp

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lovell/sharp

reference_url

https://github.com/lovell/sharp/commit/dbce6fab795ca4250bda9b1ef502c1fdb7d4a30c

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lovell/sharp/commit/dbce6fab795ca4250bda9b1ef502c1fdb7d4a30c

reference_url

https://github.com/lovell/sharp/security/advisories/GHSA-54xq-cgqr-rpm3

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lovell/sharp/security/advisories/GHSA-54xq-cgqr-rpm3

reference_url	https://github.com/advisories/GHSA-54xq-cgqr-rpm3
reference_id	GHSA-54xq-cgqr-rpm3
reference_type
scores
url	https://github.com/advisories/GHSA-54xq-cgqr-rpm3

fixed_packages

url	pkg:npm/sharp@0.32.6
purl	pkg:npm/sharp@0.32.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/sharp@0.32.6

aliases GHSA-54xq-cgqr-rpm3, GMS-2023-4343

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n45w-tfmt-z3cj

url VCID-t53w-xfpy-7ugy

vulnerability_id VCID-t53w-xfpy-7ugy

summary sharp vulnerable to Command Injection in post-installation over build environment

references

reference_url

https://advisory.dw1.io/54

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://advisory.dw1.io/54

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-29256

reference_id

reference_type

scores

value	0.00164
scoring_system	epss
scoring_elements	0.3724
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-29256

reference_url

https://github.com/lovell/sharp

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lovell/sharp

reference_url

https://github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0c

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0c

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-29256

reference_id

CVE-2022-29256

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-29256

reference_url

https://github.com/advisories/GHSA-gp95-ppv5-3jc5

reference_id

GHSA-gp95-ppv5-3jc5

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gp95-ppv5-3jc5

reference_url

https://github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5

reference_id

GHSA-gp95-ppv5-3jc5

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5

fixed_packages

url pkg:npm/sharp@0.30.5

purl pkg:npm/sharp@0.30.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n45w-tfmt-z3cj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/sharp@0.30.5

aliases CVE-2022-29256, GHSA-gp95-ppv5-3jc5

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t53w-xfpy-7ugy

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/sharp@0.14.1

Package Instance