CVE-2025-68154

Published: Dec 16, 2025Modified: Feb 19, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.

Affected (1)

Products: Systeminformation: Systeminformation

Systeminformation

1 product

Systeminformation

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Systeminformation Systeminformation	Before 5.27.14

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68

Source: security-advisories@github.com

Patch

https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch

Source: security-advisories@github.com

ExploitMitigationVendor Advisory

Timeline

No history available yet.