Description

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.

INFO

Published Date :

2025-12-16T18:18:03.640Z

Last Modified :

2025-12-17T18:50:42.535Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-68154 vulnerability.

Vendors Products
Microsoft
  • Windows
Systeminformation
  • Systeminformation
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-68154.

URL Resource
https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68 cve-icon cve-icon cve-icon
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-68154 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-68154 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact