Name of the Vulnerable Software and Affected Versions sharp versions prior to 0.32.6

Description The issue affects sharp, which uses libwebp to decode WebP images. Almost anyone processing untrusted input with versions of sharp prior to 0.32.6 is affected.

Recommendations For sharp versions prior to 0.32.6, upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2. If using a globally-installed libvips, ensure you are using the latest libwebp 1.3.2. As a temporary workaround, consider adding sharp.block({ operation: ["VipsForeignLoadWebp"] }); to your code to prevent sharp from decoding WebP images.