All sharp CVEs — Complete Vulnerability History
sharp is a high-performance Node.js image processing library. Its main CVE is CVE-2023-4863 — a heap buffer overflow in libwebp that also affected Chrome and Firefox. CVSS 10.0.
npm
5M+ weekly downloads
1 CVE total
1 CRITICAL
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2023-4863 | 2023 | 🔴CRITICAL | Heap buffer overflow in libwebp — CISA KEV — CVSS 10.0 | Fixed 0.32.6 |
Current safe version: 0.33.2
# Before
"sharp": "0.32.0"
# After
"sharp": "0.33.2"
Then run: npm install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is CVE-2023-4863 the same as the Chrome zero-day?
Yes — libwebp is the underlying C library used by Chrome, Firefox, and sharp. The same heap buffer overflow allows code execution via a crafted WebP image across all three.
Do I need to process WebP images to be vulnerable?
You need to process a malicious WebP image. If your application processes user-uploaded images without validating format first, you're at risk. Validate that uploaded files are what they claim to be before processing.