Executive Summary

CVE-2025-68154 is a command injection vulnerability in the `fsSize()` function of the systeminformation library for Node.js on Windows. The vulnerability occurs because the optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing an attacker to inject and execute arbitrary OS commands if user-controlled input reaches this function. This can happen when an application passes unsanitized input to `fsSize()`. The issue was fixed in version 5.27.14 by properly sanitizing the input parameter. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to remote code execution with the privileges of the Node.js process running the systeminformation library. An attacker can execute arbitrary PowerShell commands, potentially leading to data exfiltration, privilege escalation if the Node.js process has elevated rights, lateral movement within internal networks, and deployment of ransomware or other malicious payloads. The impact affects confidentiality, integrity, and availability of the affected system. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your application uses the `fsSize()` function from the systeminformation package on Windows and whether it passes user-controlled input to the `drive` parameter without sanitization. A practical detection method is to monitor or test for command injection attempts by sending crafted inputs to the application that uses `fsSize()`. For example, if your application exposes an API or interface that accepts a drive parameter, you can test with inputs like `C:; whoami #` to see if arbitrary commands execute. Additionally, you can audit your code for usage of `fsSize()` and verify if the `drive` parameter is sanitized. There are no specific commands provided in the resources, but testing with PowerShell commands or monitoring logs for unexpected command executions related to `fsSize()` usage can help detect exploitation attempts. [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the systeminformation package to version 5.27.14 or later, where the vulnerability is patched. The patch includes proper sanitization of the `drive` parameter using `util.sanitizeShellString()` with strict mode enabled before it is concatenated into the PowerShell command. If upgrading is not immediately possible, ensure that any input passed to the `fsSize()` function's `drive` parameter is strictly sanitized to remove dangerous characters such as `;`, `&`, `|`, `$`, `` ` ``, `#`, etc., to prevent command injection. Also, review your application to avoid passing user-controlled input directly to this function. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows for arbitrary command execution on Windows systems if user-controlled input is passed unsanitized to the fsSize() function, potentially leading to data exfiltration, privilege escalation, and lateral movement within internal networks. Such unauthorized access and data breaches could result in non-compliance with standards like GDPR and HIPAA, which require protection of sensitive data and secure system operations. Therefore, if exploited, this vulnerability could negatively impact compliance with these regulations by exposing sensitive information and compromising system integrity. [2]

Useful 0 Not Useful 0