Node.js Systeminformation Command Injection Vulnerability CVE-2021-21315 Scanner

Details
Stay Up To Date
Asset Type

DOMAIN,IP,URL

Need Membership

Yes

Asset Verify

Yes

API Support

Yes

Estimate Time (Second)

15

Node.js Systeminformation Command Injection Vulnerability CVE-2021-21315 Scanner Detail

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability.

Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

Some Advice for Common Problems

  1. Update your Nodejs System Information library immediately, to the latest version to eliminate this vulnerability.
  2. Do only allow strings, reject any arrays.

Community Discussions

Need a Full Assesment?

Get help from professional hackers. Learn about our penetration test service now!

Request Pentest Service