Patrick Rombouts

**Name of the Vulnerable Software and Affected Versions** gatsby-plugin-sharp versions prior to 5.8.1 and 4.25.1 **Description** The gatsby-plugin-sharp plugin contains a path traversal vulnerability exposed when running the Gatsby develop server (`gatsby develop`). By default, `gatsby develop` is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability. Attackers exploiting this vulnerability will have read access to all files within the scope of the server process. **Recommendations** To resolve the issue, upgrade to gatsby-plugin-sharp@5.8.1 or gatsby-plugin-sharp@4.25.1. For those using the develop server in the default configuration, no action is required as no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability. As a temporary workaround, consider restricting access to the develop server to minimize the risk of exploitation.