The systeminformation library for Node.js is susceptible to an OS command injection vulnerability due to improper sanitization of user inputs. In versions prior to 5.27.14, the fsSize() function concatenates a user-defined drive parameter into a PowerShell command, potentially allowing an attacker to execute arbitrary commands on Windows systems. This vulnerability's severity is contingent upon the context in which applications utilize this function. If user-controlled input is not passed to fsSize(), the risk may be mitigated. Version 5.27.14 addresses this issue with a necessary patch.
https://securityvulnerability.io/vulner ... 2025-68154