Security News > 2021 > February > Heavily used Node.js package has a code injection vulnerability
A heavily downloaded Node.js library has a high severity command injection vulnerability revealed this month.
Put simply, "Systeminformation" is a lightweight Node.js library that developers can include in their project to retrieve system information related to CPU, hardware, battery, network, services, and system processes.
According to the project's developer, developers are expected to use "Systeminformation" in the backend.
"This library is still work in progress. It is supposed to be used as a backend/server-side library," states the developer behind the component.
The presence of the code injection flaw within "Systeminformation" meant an attacker could execute system commands by carefully injecting payload within the unsanitized parameters used by the component.
Users of "Systeminformation" should upgrade to versions 5.3.1 and above to resolve the CVE-2021-21315 vulnerability in their application.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-02-16 | CVE-2021-21315 | OS Command Injection vulnerability in multiple products The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. | 7.8 |