Bug Bounty

The systeminformation library for Node.js is susceptible to an OS command injection vulnerability due to improper sanitization of user inputs. In versions prior to 5.27.14, the fsSize() function concatenates a user-defined drive parameter into a PowerShell command, potentially allowing an attacker to execute arbitrary commands on Windows systems. This vulnerability's severity is contingent upon the context in which applications utilize this function. If user-controlled input is not passed to fsSize(), the risk may be mitigated. Version 5.27.14 addresses this issue with a necessary patch.

https://securityvulnerability.io/vulner ... 2025-68154