systeminformation has a Command Injection vulnerability in fsSize() function on Windows

Severity:: High

Description

The fsSize() function in systeminformation is vulnerable to OS Command Injection (CWE-78) on Windows systems. The optional drive parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function.

Recommendation

Update the systeminformation package to the latest compatible version. Followings are version details:

Affected version(s): < 5.27.14
Patched version(s): 5.27.14

References

GHSA-wphj-fx3q-84ch
CVE-2025-68154
CWE-78
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID) - CVE-2024-56334
systeminformation SSID Command Injection Vulnerability - CVE-2023-42810
Command Injection Vulnerability in systeminformation - CVE-2021-21388
Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280

Tags:: npm; systeminformation

Anything's wrong? Let us know Last updated on December 16, 2025