OS Command Injection Vulnerability in Systeminformation Library for Node.js
CVE-2025-68154

8.1HIGH

Key Information:

Vendor: Sebhildebrandt
Status: Systeminformation
Vendor: CVE Published:; 16 December 2025

🔔 Create Sebhildebrandt Vulnerability Alert

What is CVE-2025-68154?

The systeminformation library for Node.js is susceptible to an OS command injection vulnerability due to improper sanitization of user inputs. In versions prior to 5.27.14, the fsSize() function concatenates a user-defined drive parameter into a PowerShell command, potentially allowing an attacker to execute arbitrary commands on Windows systems. This vulnerability's severity is contingent upon the context in which applications utilize this function. If user-controlled input is not passed to fsSize(), the risk may be mitigated. Version 5.27.14 addresses this issue with a necessary patch.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

systeminformation < 5.27.14

References

https://github.com/sebhildebrandt/systeminformation/secur...

x_refsource_CONFIRM

https://github.com/sebhildebrandt/systeminformation/commi...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 16, 2025
Vulnerability Reserved
Dec 15, 2025

JSON

Sebhildebrandt

What is CVE-2025-68154?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.