A severe command injection vulnerability has been discovered in systeminformation, a widely-used Node.js library for retrieving system information.
The flaw, tracked as CVE-2025-68154, allows attackers to execute arbitrary commands on Windows systems when applications pass user input to the vulnerable function.
The vulnerability exists in the fsSize() function, which retrieves disk space information but fails to properly validate the optional drive parameter before passing it to PowerShell commands.
Sebastian Hildebrandt maintains the system information package and ranks among the most popular Node.js system monitoring libraries.
Technical Details
The vulnerability occurs in lib/lib/lib/lib/lib/ lib/filesystem.js at line 197, where the drive parameter is directly concatenated into a PowerShell command string without sanitization.
When an application accepts user input and passes it to fsSize(), attackers can inject arbitrary PowerShell commands.
Interestingly, the codebase already implements proper input sanitization through the util. The sanitizeShellString() function is used elsewhere for similar operations. The fsSize() function simply failed to apply this same protection.
The attack works by injecting semicolons and comment characters into the drive parameter.
An attacker could supply a payload like “C:; whoami #” which executes the whoami command while commenting out the rest of the original command.
More sophisticated attacks could download ransomware, exfiltrate sensitive files, or establish persistent access.
Sebastian Hildebrandt released version 5.27.14 on December 16, 2025, which patches the vulnerability. Developers must immediately update all instances of system information to version 5.27.14 or newer.
The fix applies the util.sanitizeShellString() function to the drive parameter before constructing the PowerShell command, removing dangerous characters including semicolons, pipes, and other special characters that enable command injection.
Organizations using System Information should prioritize this update immediately.
The CVSS score of 7.5 reflects the serious nature of the flaw, particularly given that it can be exploited at the library level with no user interaction or authentication required.
Any application that uses vulnerable versions and handles user input represents an active security risk.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.