Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-68154

Опубликовано: 16 дек. 2025
Источник: redhat
CVSS3: 8.1

Описание

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the fsSize() function in systeminformation is vulnerable to OS command injection on Windows systems. The optional drive parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to fsSize(), it is not vulnerable. Version 5.27.14 contains a patch.

A flaw was found in systeminformation. This vulnerability allows arbitrary command execution via an operating system (OS) command injection in the fsSize() function on Windows systems, where the drive parameter is unsanitized and directly concatenated into a PowerShell command.

Отчет

In the Red Hat context, this vulnerability has no impact as it is specific to Windows operating systems and relies on PowerShell commands, which are not utilized in Red Hat products.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Developer Hubrhdh/rhdh-hub-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-78
https://bugzilla.redhat.com/show_bug.cgi?id=2422883systeminformation: systeminformation: OS Command Injection in `fsSize()` allows arbitrary command execution on Windows.

8.1 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-68154

CVSS3: 8.1
nvd
4 месяца назад

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.

github логотип

GHSA-wphj-fx3q-84ch

CVSS3: 8.1
github
4 месяца назад

systeminformation has a Command Injection vulnerability in fsSize() function on Windows

8.1 High

CVSS3