Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2021-21315

CVE-2021-21315: Systeminformation Command Injection RCE

CVE-2021-21315 is a command injection vulnerability in the Systeminformation library for Node.js that enables remote code execution. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2021-21315 Overview

CVE-2021-21315 is a command injection vulnerability in the systeminformation npm package, an open source Node.js library used to retrieve hardware, system, and operating system information. Versions before 5.3.1 fail to properly validate parameters passed to functions such as si.inetLatency(), si.inetChecksite(), si.services(), and si.processLoad(). Attackers can inject shell commands through array-based input that bypasses string sanitation. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, and the EPSS score of 93.96% places it in the 99.887 percentile for exploitation likelihood. Apache Cordova 10.0.0 is also affected as a downstream consumer of the library.

Critical Impact

Local authenticated attackers can execute arbitrary OS commands with the privileges of the Node.js process, leading to full compromise of confidentiality, integrity, and availability.

Affected Products

  • systeminformation npm package versions before 5.3.1
  • Apache Cordova 10.0.0
  • NetApp products bundling vulnerable versions of the library

Discovery Timeline

  • 2021-02-16 - CVE-2021-21315 published to NVD
  • 2025-10-24 - Last updated in NVD database

Technical Details for CVE-2021-21315

Vulnerability Analysis

The vulnerability is a classic OS command injection issue classified as [CWE-78]. The systeminformation package executes shell commands internally to collect system metrics. Several public API functions accept user-supplied parameters and concatenate them into shell command strings.

While the library applied string sanitation to reject shell metacharacters, the checks assumed inputs were strings. When an attacker supplies an array instead of a string, the sanitation logic is bypassed, and array elements are joined into the resulting shell command. This allows execution of arbitrary operating system commands in the context of the Node.js process.

Affected entry points include si.inetLatency(), si.inetChecksite(), si.services(), and si.processLoad(). Any application that passes untrusted input to these functions without strict type validation is exploitable.

Root Cause

The root cause is improper input validation combined with unsafe construction of shell commands. The pre-patch code only sanitized values it expected to be strings, never verifying the JavaScript type of the parameter. Arrays and other non-string types skipped the sanitation path entirely.

Attack Vector

Exploitation requires the attacker to control a parameter passed to one of the affected functions. In web applications that forward HTTP query parameters or JSON body fields directly into these calls, an attacker can submit an array-encoded payload such as ?svc[]=...;malicious-command; to trigger command execution.

javascript
// Patch excerpt from lib/docker.js - enforces boolean type before use
     callback = all;
     all = false;
   }
+  if (typeof all !== 'boolean' && all !== undefined) {
+    all = false;
+  }
 
   all = all || false;
   let result = [];

Source: GitHub Commit 07daa05

javascript
// Patch excerpt from lib/internet.js - enforces string type for url parameter
         status: 404,
         ms: null
       };
-      if (typeof url !== "string") {
+      if (typeof url !== 'string') {
         if (callback) { callback(result); }
         return resolve(result);
       }

Source: GitHub Commit 07daa05

The patch adds explicit typeof checks that reject non-string and non-boolean inputs before they reach the shell command construction.

Detection Methods for CVE-2021-21315

Indicators of Compromise

  • Unexpected child processes spawned from a Node.js parent that has systeminformation loaded, such as /bin/sh, cmd.exe, or powershell.exe invocations carrying unusual arguments.
  • Outbound network connections to attacker-controlled hosts originating from a Node.js application server.
  • HTTP request logs containing array-style parameters (e.g., param[]=) targeting endpoints that wrap si.inetLatency, si.inetChecksite, si.services, or si.processLoad.

Detection Strategies

  • Inventory all Node.js applications for systeminformation versions below 5.3.1 by parsing package-lock.json and yarn.lock files.
  • Add runtime monitoring rules that flag shell commands executed by Node.js processes containing metacharacters such as ;, &&, |, or backticks.
  • Inspect web application firewall logs for query string or JSON body parameters that arrive as arrays where strings are expected.

Monitoring Recommendations

  • Enable process lineage telemetry on application servers to capture node to shell process spawns with full command lines.
  • Alert on new outbound connections from application service accounts that historically only communicate with known internal endpoints.
  • Centralize Node.js application logs and correlate exceptions in systeminformation calls with subsequent process creation events.

How to Mitigate CVE-2021-21315

Immediate Actions Required

  • Upgrade systeminformation to version 5.3.1 or later in every Node.js project, including transitive dependencies.
  • Audit application code for direct use of si.inetLatency(), si.inetChecksite(), si.services(), and si.processLoad() with externally controlled inputs.
  • Rotate credentials and secrets accessible to any Node.js process that ran a vulnerable version exposed to untrusted input.

Patch Information

The maintainer fixed the issue in systeminformation 5.3.1 via GitHub Commit 07daa05. Full details are available in the GitHub Security Advisory GHSA-2m8v-572m-ff2v and the NetApp Security Advisory NTAP-20210312-0007. The package is published on npm as systeminformation.

Workarounds

  • Enforce strict type checking on all parameters before passing them to systeminformation APIs and reject any non-string values.
  • Sanitize service parameters by allow-listing alphanumeric characters and rejecting shell metacharacters before invocation.
  • Run Node.js applications under least-privilege service accounts and apply seccomp or AppArmor profiles to restrict process spawning.
bash
# Upgrade to the patched version
npm install systeminformation@^5.3.1 --save

# Verify installed version
npm ls systeminformation

# Audit project for known vulnerabilities
npm audit --production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne