A serious security flaw has been discovered in systeminformation, a popular Node.js library used by thousands of developers.
The vulnerability, labelled CVE-2025-68154, allows attackers to run malicious code on Windows computers. All versions up to 5.27.13 are affected, and developers must update to version 5.27.14 immediately.
Systeminformation is a widely-used Node.js package that helps developers gather information about computer systems, including disk space, memory usage, and running processes.
Because many applications depend on this library, this vulnerability affects a large portion of the development community. The vulnerability exists in the fsSize() function, which checks the amount of free disk space.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-68154 |
| Package | systeminformation (npm) |
| Vulnerability Type | OS Command Injection (CWE-78) |
| Affected Versions | ≤5.27.13 |
| CVSS Score | 7.5 |
| Attack Vector | Network |
The problem occurs when this function receives user input for specifying which drive to check. The code does not clean or validate this input before using it in a PowerShell command.
An attacker can inject additional commands instead of just requesting information about drive C:. They could inject something like “C:; whoami #” to execute extra commands and reveal system information.
Only applications meeting specific conditions are at risk. The application must run on Windows, use the fsSize() function with user-controlled input, and pass user data directly to the function.
This mainly affects web applications, APIs, dashboards, and monitoring tools that let users specify which drive to query.
If exploited, attackers could execute arbitrary commands with the Node.js process’s privileges. They could download ransomware, steal sensitive files, gain system control, or attack other computers on the network.
According to the advisory, developers must immediately update system information to version 5.27.14. This patched version properly validates input by removing dangerous characters.
Developers should also review their applications to ensure they’re not passing user input directly to fsSize(). Consider allowing drive letters as an additional layer of protection.
This vulnerability highlights the critical importance of keeping software dependencies up to date and validating user input before using it in system commands. Organizations should prioritize this patch as part of regular security maintenance.
AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free
