CyberSec.Space Logo
Back to CVE Browser

CVE-2021-21315

Known Exploited (CISA KEV)HIGH
7.1
CVSS Severity Score
EPSS Score51.7510%
EPSS Percentile91.33th
PublishedFeb 16, 2021
Last ModifiedOct 24, 2025

Vulnerability Description

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

Affected Platforms (CPE)

πŸ“¦
Systeminformation

Systeminformation

< 5.3.1
πŸ“¦
Apache

Cordova

= 10.0.0

References & Advisories

πŸ”— https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525
πŸ”— https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v
πŸ”— https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3E
πŸ”— https://security.netapp.com/advisory/ntap-20210312-0007/
πŸ”— https://www.npmjs.com/package/systeminformation
πŸ”— https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525
πŸ”— https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v
πŸ”— https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3E

Related Vulnerabilities

CVE-2021-213888.9

systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been disc...

CVE-2020-77528.8

This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can conca...

CVE-2020-262458.1

npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue w...

CVE-2020-77787.3

This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, wh...