systeminformation Command Injection Vulnerability in Versions Prior to 5.31.0

A command injection vulnerability has been identified in the systeminformation library for Node.js, specifically in versions through 5.30.7. The issue arises in the 'versions()' function, where unsanitized output from the 'locate' command is used to construct a new command for execution. This vulnerability is present on Linux systems where 'locate' or 'plocate' is installed and PostgreSQL binaries are indexed by the locate database.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system, with the executed commands running under the privileges of the Node.js process. This could lead to unauthorized access or manipulation of system resources, data, or applications.

Reproduction

To reproduce this vulnerability, first ensure that the target system is running Linux and has 'locate' or 'plocate' installed. Verify that the PostgreSQL binary is indexed by the locate database. Then, create a file with a path that includes a command injection payload, such as a semicolon-separated command. Once the malicious file is indexed by 'locate', the vulnerability can be triggered by calling the 'versions()' function with the injected command executing as a result.

Remediation

Users can upgrade to systeminformation version 5.31.0 or later, where this vulnerability has been patched.