Home > Vulnerability Database > CVE-2025-68154

Mend.io Vulnerability Database

CVE-2025-68154

Good to know:

Date: December 16, 2025

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the "fsSize()" function in systeminformation is vulnerable to OS command injection on Windows systems. The optional "drive" parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to "fsSize()", it is not vulnerable. Version 5.27.14 contains a patch.

Severity Score

8.1

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-68154

Url: https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68

Url: https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch

Url: https://github.com/sebhildebrandt/systeminformation

Url: https://www.mend.io/vulnerability-database/CVE-2025-68154

Severity Score

8.1

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Top Fix

Upgrade Version

Upgrade to version systeminformation - 5.27.14;https://github.com/sebhildebrandt/systeminformation.git - v5.27.14

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-68154

Good to know:

Date: December 16, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?