Skip to content

Command Injection Vulnerability

moderate severity GitHub Reviewed Published Feb 16, 2021 in sebhildebrandt/systeminformation • Updated Mar 19, 2021

Package

npm systeminformation (npm)

Affected versions

< 5.3.1

Patched versions

5.3.1

Description

Impact

command injection vulnerability

Patches

Problem was fixed with a parameter check. Please upgrade to version >= 5.3.1

Workarounds

If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

References

@sebhildebrandt sebhildebrandt published the maintainer security advisory Feb 14, 2021

CVE ID

CVE-2021-21315