Vulnerability Description
systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Systeminformation | Systeminformation | < 5.27.14 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8cPatch
- https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphExploitMitigationVendor Advisory
FAQ
What is CVE-2025-68154?
CVE-2025-68154 is a vulnerability with a CVSS score of 8.1 (HIGH). systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows system...
How severe is CVE-2025-68154?
CVE-2025-68154 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-68154?
Check the references section above for vendor advisories and patch information. Affected products include: Systeminformation Systeminformation, Microsoft Windows.