CVE-2025-68154 Overview
CVE-2025-68154 is an OS command injection vulnerability [CWE-78] in the systeminformation Node.js library, a widely used System and OS information module. The flaw exists in the fsSize() function on Windows systems, where the optional drive parameter is concatenated directly into a PowerShell command without sanitization. Applications that forward user-controlled input to fsSize() allow attackers to execute arbitrary commands on the host. Versions prior to 5.27.14 are affected, and version 5.27.14 contains the patch.
Critical Impact
Attackers who reach the fsSize() function with crafted input can execute arbitrary PowerShell commands on Windows hosts, leading to full system compromise.
Affected Products
- systeminformation versions prior to 5.27.14
- Microsoft Windows hosts running affected versions
- Node.js applications that pass user-controlled input to fsSize()
Discovery Timeline
- 2025-12-16 - CVE-2025-68154 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2025-68154
Vulnerability Analysis
The systeminformation library exposes the fsSize() function to enumerate file system size information. On Windows, the implementation invokes PowerShell to gather drive statistics. The optional drive argument is concatenated into the PowerShell command string without escaping or allow-list validation.
When an application accepts user input and passes it as the drive parameter, an attacker can inject PowerShell metacharacters and additional statements. The injected payload runs in the same process context as the Node.js application, granting the attacker arbitrary command execution on the host. Exploitability hinges on application design — libraries called only with trusted internal constants are not exposed.
Root Cause
The root cause is missing input sanitization on the drive argument before string concatenation into a shell command. The function builds a PowerShell command dynamically and executes it via a child process, classic [CWE-78] OS command injection. Neither parameterization nor strict character filtering is applied to the argument prior to shell invocation.
Attack Vector
The attack vector is network-reachable when a vulnerable application exposes an interface — for example, an HTTP endpoint, IPC channel, or message queue handler — that forwards untrusted input into fsSize(drive). The attacker supplies a payload containing PowerShell command separators followed by arbitrary commands. The injected commands execute with the privileges of the Node.js process, which on many Windows deployments runs as a service account with elevated rights.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-wphj-fx3q-84ch for vendor technical details.
Detection Methods for CVE-2025-68154
Indicators of Compromise
- Unexpected powershell.exe child processes spawned by node.exe on Windows hosts running applications that depend on systeminformation.
- PowerShell command lines containing drive enumeration logic appended with suspicious operators such as ;, &, |, or backticks.
- Outbound network connections initiated by powershell.exe shortly after a request to an application endpoint that consumes drive or storage parameters.
Detection Strategies
- Audit application source code and dependency trees for calls to fsSize() that receive externally controlled input. Use npm ls systeminformation to identify vulnerable versions in deployed projects.
- Monitor process creation events on Windows hosts for node.exe spawning powershell.exe with non-standard arguments, correlating against known-good baselines.
- Inspect HTTP and API logs for requests containing shell metacharacters in parameters that map to drive or filesystem queries.
Monitoring Recommendations
- Enable PowerShell Script Block Logging and Module Logging on Windows servers to capture the full executed command text.
- Forward Windows Event Log channel Microsoft-Windows-PowerShell/Operational and Sysmon Event ID 1 (process creation) to a centralized log platform for correlation.
- Alert on parent-child relationships where node.exe launches powershell.exe outside of expected administrative windows.
How to Mitigate CVE-2025-68154
Immediate Actions Required
- Upgrade systeminformation to version 5.27.14 or later across all Node.js projects, including transitive dependencies.
- Review application code paths for any invocation of fsSize() that consumes user-supplied input and remove or sanitize the input.
- Rotate credentials and inspect Windows hosts for signs of post-exploitation activity if vulnerable code was internet-exposed.
Patch Information
The maintainer released a fix in version 5.27.14. The change is documented in the vendor commit c52f9fd07fef42d2d8e8c66f75b42178da701c68 and the GitHub Security Advisory GHSA-wphj-fx3q-84ch. Upgrading to 5.27.14 removes the unsafe concatenation of the drive parameter into the PowerShell command.
Workarounds
- Do not pass user-controlled input to fsSize(). Use a strict allow-list of expected drive letters such as C:, D: before invoking the function.
- Enforce input validation at the application boundary, rejecting any value containing characters outside [A-Za-z]:.
- Run Node.js services on Windows under least-privilege accounts to limit the impact of any successful command injection.
# Upgrade systeminformation to the patched release
npm install systeminformation@5.27.14
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
