Key Information Vulnerability Description CVE ID: CVE-2022-29256 Vulnerability Type: OS Command Injection in sharp Affected Versions: sharp prior to version 0.30.4 Issue: The environment variable is used to check prebuilt dependency versions and is directly passed to the command method without any validation, leading to command injection. Vulnerable Code Snippet Locations Affected Proof of Concept Impact May lead to arbitrary command execution. Timeline May 20, 2022: Requested correct contact for disclosure. May 23, 2022: Vulnerability reported to code owner. May 23, 2022: Vulnerability confirmed and fixed. May 25, 2022: Public disclosure. References GHSA-gp95-ppv5-3jc5 love11/sharp@a6aeef6