systeminformation OS Command Injection Vulnerability in fsSize() Function on Windows

A command injection vulnerability has been identified in the `fsSize()` function of the `systeminformation` library for Node.js, affecting versions prior to 5.27.14. The vulnerability arises on Windows systems, where the optional `drive` parameter is concatenated into a PowerShell command without proper sanitization. This flaw allows for arbitrary command execution if user-controlled input is passed to the function. The exploitation depends on the specific use of `fsSize()` within applications.

Impact

Exploitation of this vulnerability allows for OS command injection, with the potential for remote code execution, data exfiltration, and, in cases where Node.js is run with elevated privileges, privilege escalation.

Reproduction

To reproduce this vulnerability, use a version of the `systeminformation` library prior to 5.27.14. Create a Node.js application that calls the `fsSize()` function and passes user-controlled input as the `drive` parameter. This can be done through an API endpoint that accepts drive letters from users. Once the application is running, send a request to the API with a crafted `drive` parameter that includes a command injection payload, such as 'C:; whoami #'.

Remediation

Users are advised to update to version 5.27.14 or later, where this vulnerability has been patched.