Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighPublic exploit

OS Command Injection in systeminformation fsSize() on Windows

IdentifiersCVE-2025-68154CWE-78· Improper Neutralization of Special…

CVE-2025-68154 is an OS command injection vulnerability in the Node.js library systeminformation affecting versions prior to 5.27.14. On Windows systems, the vulnerable code path is in the fsSize() function, where the optional drive parameter is directly concatenated into a PowerShell command without proper sanitization or validation. If an application passes attacker-controlled input into fsSize(), an attacker can inject additional shell metacharacters or commands and cause arbitrary command execution. The issue is application-dependent: deployments are only exploitable when untrusted input can reach fsSize() on a Windows host.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary command execution on the underlying Windows system with the privileges of the Node.js process running the application. Depending on that process context, this can enable full compromise of the application environment, execution of follow-on payloads, data theft, service manipulation, persistence, and potential lateral movement. In practical terms, exposed web applications, APIs, dashboards, or monitoring tools that pass user-supplied drive values to fsSize() could be remotely abused without authentication if that input path is reachable.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, prevent untrusted input from reaching fsSize() entirely. Apply strict server-side validation and allowlisting for any drive parameter, rejecting characters or patterns that could alter PowerShell command structure. Limit exposure of any application features that let remote users specify filesystem targets on Windows hosts, and run the Node.js service with the least privileges necessary to reduce post-exploitation impact.

Remediation

Patch, then assume compromise.

Upgrade systeminformation to version 5.27.14 or later, which contains the vendor patch for this issue. In addition, review all application code paths that call fsSize() and ensure the drive argument cannot be influenced by untrusted input. Where drive selection is required, enforce strict allowlisting such as fixed drive letters or known-safe identifiers rather than passing raw user input.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SysteminformationSysteminformationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
jpcert jpNews
Dec 24, 2025
Weekly Report 2025-12-24号

An OS command injection vulnerability in the fsSize function of the Node.js library 'systeminformation'.

Read more
the hacker newsNews
Dec 22, 2025
⚡ Weekly Recap: Firewall Exploits, AI Data Theft, Android Hacks, APT Attacks, Insider Leaks & More

A vulnerability in systeminformation. No further details provided in the content.

Read more
cyber security newsNews
Dec 18, 2025
Critical Vulnerability in Popular Node.js Library Exposes Windows Systems to RCE Attacks

An OS command injection vulnerability (CWE-78) in the systeminformation npm package’s fsSize() function on Windows, where unvalidated user-controlled input is incorporated into a PowerShell command, enabling arbitrary command execution with the Node.js process privileges.

Read more
cvefeed high severityNews
Dec 16, 2025
CVE-2025-68154 - Command Injection in fsSize() on Windows

A command injection vulnerability in the fsSize() function of the systeminformation Node.js library on Windows, allowing arbitrary command execution if user input is unsanitized. Fixed in version 5.27.14.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-68154
NVD
nvd.nist.gov/vuln/detail/CVE-2025-68154
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
Patch
github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68
Vendor Advisory
github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch