CVE-2022-29256
Server-Side Command Injection vulnerability in sharp (npm)
What is CVE-2022-29256 About?
This vulnerability in the `sharp` package prior to version 0.30.5 allows for a server-side command injection primarily at `npm install` time. An attacker can inject arbitrary commands by manipulating the `PKG_CONFIG_PATH` environment variable. While specific prerequisites limit its applicability, it can lead to full system compromise. Exploitation is moderately complex and highly situational.
Affected Software
Technical Details
The sharp package vulnerability (CVE-2022-29256) stems from a flaw in the logic executed specifically during npm install. If an attacker has control over the PKG_CONFIG_PATH environment variable in the build environment where sharp is being installed, they can inject arbitrary commands. PKG_CONFIG_PATH specifies where pkg-config should look for .pc files, which define compiler and linker flags for libraries. By crafting a malicious PKG_CONFIG_PATH value, an attacker can cause npm install (or the underlying build scripts for sharp) to execute arbitrary shell commands. This typically occurs because a malicious pkg-config file or a clever path manipulation within PKG_CONFIG_PATH can lead to the execution of attacker-controlled scripts or binaries during the build process, which npm install triggers.
What is the Impact of CVE-2022-29256?
Successful exploitation may allow attackers to execute arbitrary commands on the build system during `npm install`, leading to potential full system compromise, data theft, or supply chain attacks.
What is the Exploitability of CVE-2022-29256?
Exploitation complexity is moderately high, as it requires the attacker to have control over the build environment's PKG_CONFIG_PATH variable. This typically implies a highly privileged attacker or a severely misconfigured build system. Authentication would be tied to gaining access to the build environment. Privilege requirements are high, as the attacker must be able to modify environment variables. This is a local vulnerability to the build environment, not remote to a deployed application. Special conditions include the attacker controlling environment variables and the sharp package being installed in that environment. Risk factors that increase exploitation likelihood are build pipelines allowing untrusted users to set environment variables or insecurely configured CI/CD systems that fetch and install dependencies from untrusted sources, potentially enabling supply chain attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-29256?
Available Upgrade Options
- sharp
- <0.30.5 → Upgrade to 0.30.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5
- https://github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0c
- https://nvd.nist.gov/vuln/detail/CVE-2022-29256
- https://osv.dev/vulnerability/GHSA-gp95-ppv5-3jc5
- https://github.com/lovell/sharp
- https://advisory.dw1.io/54
- https://github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5
- https://github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0c
What are Similar Vulnerabilities to CVE-2022-29256?
Similar Vulnerabilities: CVE-2020-5259 , CVE-2020-15206 , CVE-2021-3829 , CVE-2020-7712 , CVE-2020-28498
