CVE-2022-29256: 
JavaScript vulnerability analysis and mitigation

The CVE-2022-29256 affects sharp, a Node.js image processing application. The vulnerability was discovered and disclosed on May 25, 2022, affecting versions prior to 0.30.5. The issue exists in the logic that runs during the npm install process, where an attacker with control over the PKG_CONFIG_PATH environment variable could potentially inject arbitrary commands during installation (GitHub Advisory).

The vulnerability is related to command injection during the installation process. It specifically involves the handling of the PKG_CONFIG_PATH environment variable during the npm install operation. The issue received a CVSS v3.1 Base Score of 6.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) (NVD).

The vulnerability could potentially allow an attacker with control over the build environment to execute arbitrary commands during the package installation process. However, this only affects the installation process and not the runtime code. The impact is limited as it does not affect Windows users and primarily concerns environments where build environment security is already compromised (GitHub Advisory).

The vulnerability was fixed in sharp version 0.30.5 with commit a6aeef6. The fix involves changing how the PKG_CONFIG_PATH is handled, passing it via environment variables rather than substitution. Users should upgrade to version 0.30.5 or later to address this vulnerability (GitHub Commit).