CVE-2025-68154

CWE-78 — OS Command Injection6 documents6 sources

Severity

8.1HIGH

EPSS

0.1%

top 80.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sebhildebrandt Systeminformation Systeminformation Systeminformation

Timeline

PublishedDec 16

Description

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass u…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶npmsysteminformation< 5.27.14

▶CVEListV5sebhildebrandt/systeminformation< 5.27.14

▶NVDsysteminformation/systeminformation< 5.27.14

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

systeminformation has a Command Injection vulnerability in fsSize() function on Windows↗2025-12-16

▶

CVEList

Command Injection in fsSize() on Windows↗2025-12-16

▶

OSV

systeminformation has a Command Injection vulnerability in fsSize() function on Windows↗2025-12-16

▶

📋Vendor Advisories

Red Hat

systeminformation: systeminformation: OS Command Injection in `fsSize()` allows arbitrary command execution on Windows.↗2025-12-16

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68154 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶