CVE-2025-68154
HIGH8.1EPSS 0.05%systeminformation has a Command Injection vulnerability in fsSize() function on Windows
Published: 12/16/2025Modified: 6/1/2026
Description
systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.
Affected packages (2)
- Debian/node-systeminformationfrom 0
- npm/systeminformationfrom 0, < 5.27.14
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68154
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-68154
- PATCHhttps://github.com/sebhildebrandt/systeminformation
- WEBhttps://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68
- WEBhttps://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch