Login Sign Up

CVE-2020-26245

8.1 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in the systeminformation npm package allows attackers to execute arbitrary commands on affected systems through prototype pollution. It affects applications using vulnerable versions of the package that call the si.inetChecksite() function with untrusted input. Developers using this package in Node.js applications are at risk.

💻 Affected Systems

Products:
  • systeminformation npm package
Versions: All versions before 4.30.5
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that use the si.inetChecksite() function with untrusted input.

📦 What is this software?

Systeminformation by Systeminformation

View all CVEs affecting Systeminformation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Limited command execution within the application's context, potentially leading to data theft, service disruption, or lateral movement.

🟢

If Mitigated

No impact if input validation prevents malicious payloads from reaching the vulnerable function.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to call the vulnerable function with attacker-controlled input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.30.5 and later

Vendor Advisory: https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg

Restart Required: Yes

Instructions:

1. Update package.json to require systeminformation >=4.30.5
2. Run 'npm update systeminformation'
3. Restart your Node.js application

🔧 Temporary Workarounds

Input validation for si.inetChecksite()

all

Validate and sanitize all parameters passed to si.inetChecksite() function

🧯 If You Can't Patch

  • Implement strict input validation for all parameters passed to si.inetChecksite() function
  • Remove or disable usage of si.inetChecksite() if not essential

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list systeminformation' to see installed version

Check Version:

npm list systeminformation | grep systeminformation

Verify Fix Applied:

Confirm systeminformation version is 4.30.5 or higher using 'npm list systeminformation'

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns
  • Unexpected network connections from Node.js processes
  • Errors from systeminformation package

Network Indicators:

  • Unexpected outbound connections from application servers
  • Suspicious DNS queries

SIEM Query:

process.name:node AND cmdline:*inetChecksite* AND (cmdline:*;* OR cmdline:*&* OR cmdline:*|*)

📊 Metadata

CVE ID: CVE-2020-26245
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
CWE: CWE-78
Published: November 27, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26245, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)