GHSA-54xq-cgqr-rpm3
First published: Thu Nov 16 2023(Updated: )
## Overview sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr. ## Who does this affect? Almost anyone processing untrusted input with versions of sharp prior to 0.32.6. ## How to resolve this? ### Using prebuilt binaries provided by sharp? Most people rely on the prebuilt binaries provided by sharp. Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2. ### Using a globally-installed libvips? Please ensure you are using the latest libwebp 1.3.2. ## Possible workaround Add the following to your code to prevent sharp from decoding WebP images. ```js sharp.block({ operation: ["VipsForeignLoadWebp"] }); ```
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/sharp | <0.32.6 | 0.32.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of GHSA-54xq-cgqr-rpm3?
The severity of GHSA-54xq-cgqr-rpm3 is high.
Who does GHSA-54xq-cgqr-rpm3 affect?
GHSA-54xq-cgqr-rpm3 affects almost anyone processing untrusted input with versions of sharp prior to 0.32.6.
How do I fix GHSA-54xq-cgqr-rpm3?
To fix GHSA-54xq-cgqr-rpm3, update to the latest version of sharp (0.32.6 or above).
What is the reference for GHSA-54xq-cgqr-rpm3?
The reference for GHSA-54xq-cgqr-rpm3 can be found at: [link](https://github.com/lovell/sharp/security/advisories/GHSA-54xq-cgqr-rpm3).
- collector/github-advisory-latest
- alias/GHSA-54xq-cgqr-rpm3
- collector/github-advisory
- package-manager/npm