System Information Library for Node.js Command Injection Vulnerability

A command injection vulnerability has been identified in the System Information Library for Node.js, specifically in versions prior to 5.3.1. This vulnerability allows attackers to inject malicious commands that could be executed in the application's environment. The issue arises from insufficient validation of service parameters in several library functions, including 'inetLatency', 'inetChecksite', 'services', and 'processLoad'.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution, allowing attackers to execute arbitrary commands in the context of the application.

Reproduction

The vulnerability can be reproduced by passing unsanitized service parameters to the affected functions. For example, an array can be passed instead of a string, which the function will not properly validate, leading to command injection.

Remediation

Users are advised to upgrade to version 5.3.1 or later. If an upgrade is not possible, it is recommended to sanitize service parameters before passing them to the vulnerable functions, ensuring that only strings are accepted and arrays are rejected.