Login Sign Up

CVE-2025-68154

8.1 HIGH
Remote Code Execution

📋 TL;DR

CVE-2025-68154 is an OS command injection vulnerability in the systeminformation library for Node.js. On Windows systems, the fsSize() function improperly concatenates user input into PowerShell commands without sanitization, allowing attackers to execute arbitrary commands. Applications using affected versions of systeminformation that pass user-controlled input to fsSize() are vulnerable.

💻 Affected Systems

Products:
  • systeminformation
Versions: All versions prior to 5.27.14
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when applications pass user-controlled input to the fsSize() function's drive parameter.

📦 What is this software?

Systeminformation by Systeminformation

View all CVEs affecting Systeminformation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Limited command execution within the context of the Node.js application, potentially allowing lateral movement or data exfiltration.

🟢

If Mitigated

No impact if applications don't pass user input to fsSize() or proper input validation is implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user input to reach the vulnerable function, which depends on application implementation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.27.14

Vendor Advisory: https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch

Restart Required: No

Instructions:

1. Update systeminformation package to version 5.27.14 or later. 2. Run 'npm update systeminformation' or update package.json dependency. 3. Restart Node.js applications using the library.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for the drive parameter before passing to fsSize()

Function Restriction

all

Avoid passing user-controlled input to fsSize() function entirely

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user input passed to fsSize()
  • Run Node.js applications with minimal privileges and in isolated environments

🔍 How to Verify

Check if Vulnerable:

Check if systeminformation version is below 5.27.14 and if application passes user input to fsSize()

Check Version:

npm list systeminformation

Verify Fix Applied:

Verify systeminformation version is 5.27.14 or higher using npm list systeminformation

📡 Detection & Monitoring

Log Indicators:

  • Unusual PowerShell execution from Node.js processes
  • Unexpected system commands executed by Node.js applications

Network Indicators:

  • Unusual outbound connections from Node.js processes
  • Command and control traffic patterns

SIEM Query:

Process execution where parent_process contains 'node.exe' AND process_command_line contains 'powershell' AND process_command_line contains unusual parameters

📊 Metadata

CVE ID: CVE-2025-68154
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
EPSS Score: 0.08% exploit probability (22.5th percentile)
Published: December 16, 2025
Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68154, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)