- Description
- systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- systeminformation
CVSS 3.1
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.9
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-78
- Hype score
- Not currently trending
Node.js ライブラリの深刻な脆弱性 CVE-2025-68154 が FIX:入力検証の不備による RCE https://t.co/ximnicW7O2 この問題の原因は、ライブラリが外部から受け取った情報を、そのままWindowsの命令(PowerShell)として実行しよ
@iototsecnews
5 Jan 2026
105 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
برای Node.js آسیب پذیری جدیدی با کد شناسایی CVE-2025-68154 از نوع Command execution منتشر شده است. آسیب پذیری ، مربوط به library به نام systeminformation می باشد، برای امن سازی library آسیب
@EthicalSafe
18 Dec 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68154 : Critical 10.0 RCE in Node.js Hijacks Windows Systems (The Mandatory Patch & Secret Rotation Guide). Read the full report on - https://t.co/09yZj1Tlex https://t.co/mD166EkLrX
@cyberbivash
18 Dec 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 #Windows users of NPM systeminformation be aware of #CVE-2025-68154. The fsSize function is vulnerable to OS Command #Injection. The drive parameter is added to a PowerShell command without sanitization, allowing arbitrary command execution when user input reaches the https:
@CheckmarxZero
18 Dec 2025
115 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
Critical RCE flaw CVE-2025-68154 in systeminformation Node.js library affects versions up to 5.27.13 on Windows. Update to 5.27.14 immediately to mitigate risk. #Vulnerability https://t.co/14tAbY14mX
@threatcluster
18 Dec 2025
79 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical OS Command Injection (CVE-2025-68154) in the systeminformation Node.js library risks RCE on Windows. Affects 16M+ users. Upgrade to v5.27.14. #NodeJS #Cybersecurity #RCE #systeminformation #Windows https://t.co/CTw8uilaKQ
@the_yellow_fall
18 Dec 2025
231 Impressions
2 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
🟠 CVE-2025-68154 - High systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windo... https://t.co/26xj3yfaSa https://t.co/yyCYdWBGUd
@TheHackerWire
16 Dec 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "4E586FA2-BB8A-49BC-AB57-A8D3F539FCC2",
"versionEndExcluding": "5.27.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
]