Listen to this Post
The vulnerability exists in the `fsSize()` function within the `systeminformation` npm package on Windows. The optional `drive` parameter is unsanitized and directly concatenated into a PowerShell command string. When user-controlled input (e.g., from an API parameter) is passed to this function, an attacker can inject commands using shell metacharacters like semicolons. The function constructs a command via Get-WmiObject Win32_logicaldisk. An input like `C:; whoami ` breaks the intended command structure. The semicolon terminates the `where -property Caption -eq C:` clause, allowing execution of the injected `whoami` command. The hash symbol () comments out the remaining pipeline characters to avoid syntax errors. This grants arbitrary command execution with the privileges of the Node.js process.
Platform: Windows
Version: systeminformation library
Vulnerability: Command Injection
Severity: Critical
date: 2021-02-XX
<h2 style="color: blue;">Prediction: Patch expected soon</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
npm list systeminformation
const si = require('systeminformation');
si.fsSize("C:; whoami ");
Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami | fl
<h2 style="color: blue;">How Exploit:</h2>
<h2 style="color: blue;">Malicious API Request: `/api/disk?drive=C:; whoami `</h2>
<h2 style="color: blue;">Payload terminates command with `;`</h2>
<h2 style="color: blue;">Payload comments rest with
Protection from this CVE:
Apply `util.sanitizeShellString()`
Update package version
Input validation
Impact:
Remote Code Execution
Data Exfiltration
Privilege Escalation
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
