systeminformation@4.33.1 vulnerabilities

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Improper Input Validation. The function versions doesn't check the input of the user, which is expected a string.

const si = require('systeminformation');
si.versions({toString : () => { console.log("This is a PoC") }});

Upgrade systeminformation to version 5.6.11 or higher.

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Arbitrary Command Injection. Service parameters passed to si.inetLatency(), si.inetChecksite(), si.services(), and si.processLoad() are not sanitized properly.

Upgrade systeminformation to version 5.6.4 or higher.

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the sanitizeShellString function due to not sanitising @ properly.

Upgrade systeminformation to version 5.3.4 or higher.

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Command Injection. It is possible to send an array instead of string, which bypasses the sanitizer.

Upgrade systeminformation to version 4.34.11, 5.3.1 or higher.

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Denial of Service (DoS). By leveraging the inetLatency() function, it is possible to execute a ping command that would run for a long time, leading to denial of service.

Upgrade systeminformation to version 4.34.10 or higher.