CVE-2021-21315

Name of the Vulnerable Software and Affected Versions systeminformation versions prior to 5.3.1

Description The System Information Library for Node.JS is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1, there is a command injection vulnerability. The problem was fixed in version 5.3.1. This vulnerability can be exploited by passing malicious parameters to certain functions, allowing an attacker to execute arbitrary commands. For example, the API endpoint "/api/getServices" can be exploited by passing a malicious "name" parameter, such as "name[]=$(echo -e 'test' > pwn.txt)".

Recommendations For systeminformation versions prior to 5.3.1, upgrade to version 5.3.1 or later to fix the command injection vulnerability. As a workaround, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... only allow strings, reject any arrays. String sanitation works as expected.