Advisories for Npm/Systeminformation package

On Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. This is not caused by a caller passing attacker-controlled arguments into networkInterfaces(). The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile …

A command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.

Command Injection via Unsanitized locate Output in versions() — systeminformation Package: systeminformation (npm) Tested Version: 5.30.7 Affected Platform: Linux Author: Sebastian Hildebrandt Weekly Downloads: ~5,000,000+ Repository: https://github.com/sebhildebrandt/systeminformation Severity: Medium CWE: CWE-78 (OS Command Injection) The Vulnerable Code Path Inside the versions() function, when detecting the PostgreSQL version on Linux, the code does this: // lib/osinfo.js — lines 770-776 exec('locate bin/postgres', (error, stdout) => { if (!error) { const postgresqlBin = …

The fsSize() function in systeminformation is vulnerable to OS Command Injection (CWE-78) on Windows systems. The optional drive parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. Affected Platforms: Windows only CVSS Breakdown: Attack Vector (AV:N): Network - if used in a web application/API Attack Complexity (AC:H): High - requires application to pass user input to fsSize() Privileges Required …

The SSID is not sanitized when before it is passed as a parameter to cmd.exe in the getWindowsIEEE8021x function. This means that malicious content in the SSID can be executed as OS commands.

Impact SSID Command Injection Vulnerability Patches Problem was fixed with a parameter check. Please upgrade to version >= 5.21.7, Version 4 was not affected Workarounds If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to wifiConnections(), wifiNetworks() (string only) References See also https://systeminformation.io/security.html

systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation there is a command injection vulnerability. Problem was fixed with a shell string sanitation fix.

systeminformation is an open source system and OS information library for node.Please upgrade to If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() and other commands. Only allow strings, reject any arrays. String sanitation works as expected.

command injection vulnerability

systeminformation suffers from a command injection vulnerability.

npm package systeminformation is vulnerable to Prototype Pollution leading to Command Injection.If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().

This affects the package systeminformation The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.

The systeminformation package is vulnerable to Command Injection. An attacker can concatenate the curl command's parameters to overwrite Javascript files and then execute any OS commands.