JavaScript| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|
| sharp | npm | < 0.32.6 | 0.32.6 |
Miggo AIRoot Cause AnalysisThe vulnerability originates from the libwebp library (via the libvips dependency), not directly from functions in the sharp codebase. The provided commit/diff information shows sharp upgraded its libvips dependency to v8.14.5 (which includes libwebp 1.3.2) to address the issue. The vulnerability is triggered when sharp uses the libvips WebP decoding functionality (e.g., via the VipsForeignLoadWebp operation), but the actual vulnerable code resides in libwebp, not in sharp's own functions. No specific vulnerable functions within sharp's codebase are identified; the risk arises from its dependency chain.
KEV Misses 88% of Exploited CVEs- Get the report
