Command injection flaw reported in Node.js systeminformation package

A command injection vulnerability has been identified in systeminformation, a Node.js library used for retrieving system information. 

The flaw is tracked as, CVE-2025-68154 (CVSS score 7.5) and affects the fsSize() function on Windows platforms. It enables attackers to execute arbitrary PowerShell commands when applications pass unsanitized user input to the vulnerable function. 

The optional drive parameter is directly concatenated into a PowerShell command string without sanitization. When an application accepts user input for disk information queries and passes it to the fsSize() function, attackers can inject PowerShell commands using semicolons and comment characters. The drive parameter flows directly into the Get-WmiObject PowerShell command construction without validation. 

Interestingly, the systeminformation codebase already implements proper input sanitization through the util.sanitizeShellString() function in other locations, but this protection was omitted from the fsSize() function.

 An attacker can craft a malicious payload such as "C:; whoami #" where the semicolon terminates the original PowerShell command and executes the injected whoami command, while the hash symbol comments out the remainder of the intended query. 

Applications running systeminformation on Windows that expose web APIs, monitoring dashboards, or CLI tools accepting user-controlled drive parameters are vulnerable.

Sebastian Hildebrandt released version 5.27.14 on December 16, 2025, which patches the vulnerability by applying the util.sanitizeShellString() function to the drive parameter before constructing PowerShell commands. The fix removes dangerous characters including semicolons, pipes, ampersands, dollar signs, backticks, and hash symbols that enable command injection. 

Development teams using the systeminformation library should upgrade to version 5.27.14 or newer.