cbcvebase.
CVE-2025-68154
published 2025-12-16

CVE-2025-68154: systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable…

PriorityP264high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
12.86%
95.8th percentile
systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.

Affected

3 ranges
VendorProductVersion rangeFixed in
sebhildebrandtsysteminformation< 5.27.145.27.14
systeminformationsysteminformation< 5.27.145.27.14
systeminformationsysteminformation>= 0 < 5.27.145.27.14

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable sink is the `fsSize()` function in the systeminformation Node.js library on Windows; the `drive` parameter is unsanitized and directly concatenated into a PowerShell command — monitor for unexpected PowerShell child processes spawned from Node.js processes using systeminformation versions prior to 5.27.14.
  • Exploitation is only possible when user-controlled input is passed as the `drive` parameter to `fsSize()`; audit application code for any call path where external/user input flows into `fsSize(drive)` on Windows.
  • Scope is strictly Windows/PowerShell; Linux/Red Hat environments are not affected — focus detection efforts on Windows hosts running Node.js applications that bundle systeminformation < 5.27.14.
  • ·Exploitation requires user-controlled input to reach the `drive` parameter of `fsSize()`; applications that do not expose this parameter to external input are not exploitable regardless of library version.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.