systeminformation 5.25.11

Direct Vulnerabilities

Known vulnerabilities in the systeminformation package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Command Injection systeminformation is a simple system and OS information library. Affected versions of this package are vulnerable to Command Injection in the `networkInterfaces` function when handling NetworkManager connection profile names obtained from `nmcli device status` output. An attacker can execute arbitrary shell commands with the privileges of the calling Node.js process by creating or renaming an active NetworkManager connection profile to include shell metacharacters, which are then unsafely interpolated into shell commands executed by the process. How to fix Command Injection? Upgrade `systeminformation` to version 5.31.6 or higher.	>=4.17.0 <5.31.6
H Command Injection systeminformation is a simple system and OS information library. Affected versions of this package are vulnerable to Command Injection via the `wifiNetworks()` function. Although the `iface` parameter is sanitized, it is passed unsanitized to `execSync()` when a timeout triggers a retry. An attacker can execute arbitrary operating system commands by supplying crafted input to the `iface` parameter. How to fix Command Injection? Upgrade `systeminformation` to version 5.30.8 or higher.	<5.30.8
H Command Injection systeminformation is a simple system and OS information library. Affected versions of this package are vulnerable to Command Injection via the `versions()` function, which executes a `locate` command to find a PostgreSQL installation on Linux. An attacker who can write files to the target filesystem can execute arbitrary commands with the privileges of the running process by planting a file whose name contains shell metacharacters. The attacker must have sufficient permissions to write files in directories indexed by `updatedb`. How to fix Command Injection? Upgrade `systeminformation` to version 5.31.0 or higher.	<5.31.0
C Command Injection systeminformation is a simple system and OS information library. Affected versions of this package are vulnerable to Command Injection via the `fsSize` function when the `drive` parameter is concatenated into a PowerShell command without proper sanitization. An attacker can execute arbitrary commands on the underlying Windows system by supplying crafted input to the `drive` parameter. ##Workaround This vulnerability could be mitigated by applying `util.sanitizeShellString()` to the `drive` parameter, consistent with other functions in the codebase. How to fix Command Injection? Upgrade `systeminformation` to version 5.27.14 or higher.	<5.27.14

Vulnerability

Vulnerable Version

Command Injection

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Command Injection in the networkInterfaces function when handling NetworkManager connection profile names obtained from nmcli device status output. An attacker can execute arbitrary shell commands with the privileges of the calling Node.js process by creating or renaming an active NetworkManager connection profile to include shell metacharacters, which are then unsafely interpolated into shell commands executed by the process.

How to fix Command Injection?

Upgrade systeminformation to version 5.31.6 or higher.

>=4.17.0 <5.31.6

Command Injection

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Command Injection via the wifiNetworks() function. Although the iface parameter is sanitized, it is passed unsanitized to execSync() when a timeout triggers a retry. An attacker can execute arbitrary operating system commands by supplying crafted input to the iface parameter.

How to fix Command Injection?

Upgrade systeminformation to version 5.30.8 or higher.

<5.30.8

Command Injection

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Command Injection via the versions() function, which executes a locate command to find a PostgreSQL installation on Linux. An attacker who can write files to the target filesystem can execute arbitrary commands with the privileges of the running process by planting a file whose name contains shell metacharacters. The attacker must have sufficient permissions to write files in directories indexed by updatedb.

How to fix Command Injection?

Upgrade systeminformation to version 5.31.0 or higher.

<5.31.0

Command Injection

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Command Injection via the fsSize function when the drive parameter is concatenated into a PowerShell command without proper sanitization. An attacker can execute arbitrary commands on the underlying Windows system by supplying crafted input to the drive parameter.

##Workaround

This vulnerability could be mitigated by applying util.sanitizeShellString() to the drive parameter, consistent with other functions in the codebase.

How to fix Command Injection?

Upgrade systeminformation to version 5.27.14 or higher.

<5.27.14

systeminformation@5.25.11

Advanced, lightweight system and OS information library

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically