CVE-2022-29256 – Possible vulnerability at 'npm install' time in sharp if an attacker has control over build environment

https://notcve.org/view.php?id=CVE-2022-29256

25 May 2022 — sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and... • https://github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0c • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •