CVE-2025-68154

systeminformation and Affected Versions systeminformation versions prior to 5.27.14

Description The fsSize() function within the systeminformation Node.js library is susceptible to OS command injection on Windows systems. The optional drive parameter is directly incorporated into a PowerShell command without proper sanitization, potentially enabling arbitrary command execution when user-supplied input reaches this function. The exploitability of this issue is contingent upon how applications utilize this function; applications that do not pass user-controlled input to fsSize() are not vulnerable. The drive parameter is concatenated directly into a PowerShell command string without any sanitization. This is inconsistent with other functions in the codebase that properly sanitize user input using util.sanitizeShellString(). Successful exploitation could lead to remote code execution, data exfiltration, and potentially privilege escalation. The issue affects applications running systeminformation on Windows that pass user-controlled input to fsSize(drive), including web applications, APIs, and monitoring dashboards.

Recommendations Apply util.sanitizeShellString() to the drive parameter, consistent with other functions in the codebase.