CVE-2021-21388 – CVE-2021-21388 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-21388?

CVE-2021-21388 has a CVSS score of 8.9 (HIGH). CVE-2021-21388 is a command injection vulnerability in the systeminformation npm library that allows attackers to execute arbitrary commands on affected systems. It affects applications using vulnerable versions of systeminformation that call specific functions with user-controlled input. This vulnerability can lead to complete system compromise.

📋 TL;DR

CVE-2021-21388 is a command injection vulnerability in the systeminformation npm library that allows attackers to execute arbitrary commands on affected systems. It affects applications using vulnerable versions of systeminformation that call specific functions with user-controlled input. This vulnerability can lead to complete system compromise.

💻 Affected Systems

Products:

systeminformation npm package

Versions: All versions prior to 5.6.4

Operating Systems: All operating systems where Node.js runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when calling specific functions (si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad(), etc.) with user-controlled input that can be arrays.

📦 What is this software?

Systeminformation by Systeminformation

View all CVEs affecting Systeminformation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Command execution with application user privileges, potentially leading to data theft, service disruption, or further privilege escalation.

🟢

If Mitigated

No impact if input validation rejects arrays or if patched version is used.

🌐 Internet-Facing: HIGH - Web applications using this library with user-controlled input to affected functions are directly exploitable.

🏢 Internal Only: MEDIUM - Internal applications could be exploited through authenticated users or other internal attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user input to reach vulnerable functions. Public proof-of-concept exists in advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.6.4 and later

Vendor Advisory: https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-jff2-qjw8-5476

Restart Required: No

Instructions:

1. Update package.json to require systeminformation >=5.6.4. 2. Run 'npm update systeminformation'. 3. Test application functionality.

🔧 Temporary Workarounds

Input validation workaround

all

Validate all user input passed to systeminformation functions to ensure only strings are accepted, rejecting arrays.

🧯 If You Can't Patch

Implement strict input validation for all parameters passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() and other systeminformation functions
Use application-level firewalls or WAF rules to block suspicious command injection patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list systeminformation' to see installed version. If version is <5.6.4, you are vulnerable.

Check Version:

npm list systeminformation | grep systeminformation

Verify Fix Applied:

After updating, verify version is >=5.6.4 using 'npm list systeminformation' and test affected functions with various inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual child process spawns from Node.js applications
Commands executed with unexpected arguments
Error logs showing failed input validation

Network Indicators:

Outbound connections from Node.js processes to unexpected destinations
Command and control traffic patterns

SIEM Query:

process.name:node AND (process.args:*systeminformation* OR process.args:*si.*) AND process.parent.args:*

📊 Metadata

CVE ID: CVE-2021-21388

CVSS v3 Score: 8.9 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H

CWE: CWE-20

Published: April 29, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/sebhildebrandt/systeminformation/commit/01ef56cd5824ed6da1c11b37013a027fdef67524 Patch,Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/commit/0be6fcd575c05687d1076d5cd6d75af2ebae5a46 Patch,Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/commit/7922366d707de7f20995fc8e30ac3153636bf35f Patch,Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-jff2-qjw8-5476 Third Party Advisory
https://www.npmjs.com/package/systeminformation Product,Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/commit/01ef56cd5824ed6da1c11b37013a027fdef67524 Patch,Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/commit/0be6fcd575c05687d1076d5cd6d75af2ebae5a46 Patch,Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/commit/7922366d707de7f20995fc8e30ac3153636bf35f Patch,Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-jff2-qjw8-5476 Third Party Advisory
https://www.npmjs.com/package/systeminformation Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21388, you might also want to check these: