CVE-2021-21315

What is the systeminformation npm Package?

systeminformation is a widely used Node.js library (npm package) that provides cross-platform system information retrieval — CPU usage, memory, disk, network interfaces, processes, services, and more. It is used in monitoring dashboards, server management tools, DevOps tooling, and infrastructure management applications. The library collects system information by invoking OS-level commands or reading system APIs, and some of these operations accept user-supplied parameters (such as process names or interface names) that are incorporated into shell commands. When these parameters are not properly sanitized before being passed to a shell, they create OS command injection vulnerabilities. Because systeminformation is typically used in server-side Node.js applications, injection through its APIs can reach the underlying host OS — including escaping container boundaries if the application runs in a container.

Overview

CVE-2021-21315 is an OS command injection vulnerability (CWE-78) in the systeminformation npm package (versions before 5.3.1). Certain functions in the library accept a name parameter that is incorporated into OS command strings without sanitization — an attacker who can influence the value passed as the name parameter can inject arbitrary OS commands that execute on the server. The Scope: Changed (S:C) classification reflects that the injection can break out of the application's normal execution context (e.g., escaping a container to affect the host OS). Fixed in systeminformation version 5.3.1. CISA added it to the KEV catalog in January 2022.

Affected Versions

Technical Details

• Root cause: OS command injection (CWE-78) — functions in systeminformation that accept a name parameter (such as process lookup, service status, or interface queries) construct shell commands by string-interpolating the unsanitized parameter; an attacker-controlled value containing shell metacharacters (;, &&, |, backticks) causes the library to execute attacker-specified commands alongside or instead of the intended query
• Attack vector AV:L: The vulnerability is triggered when attacker-controlled data reaches the name parameter within the application's Node.js code; this can happen via web API inputs, configuration data, or user-supplied values that the application passes to systeminformation functions
• Scope: Changed (S:C): If the Node.js application runs in a container, the injected commands execute in the container environment with the application's permissions; commands that interact with the host (via mounted volumes, exposed APIs, or kernel capabilities) can affect the host OS outside the container boundary
• No privileges required, no user interaction: PR:N/UI:N — once attacker-controlled data reaches the vulnerable parameter, exploitation is automatic; there is no authentication requirement within the library itself (the application's own authentication is the only gate)
• I:H, C:N: The primary impact is command execution / filesystem writes (integrity); the CVSS C:N rating reflects that information exfiltration is not the direct outcome of the injection itself, though arbitrary command execution can certainly enable data theft

Discovery

Discovered by Marlon Weiss and reported via GitHub security advisory. Patched in systeminformation version 5.3.1 released February 7, 2021. The CISA KEV addition in January 2022 reflects active exploitation of applications using vulnerable systeminformation versions — particularly in network management, monitoring, and infrastructure tools that expose web APIs accepting user-controlled input.

Exploitation Context

Supply chain vulnerabilities in npm packages like systeminformation affect the many applications built on top of them. Applications that pass user-controlled input (web request parameters, form fields, API arguments) to systeminformation functions without validation are vulnerable to OS command injection. In containerized environments, injected commands can interact with the host via exposed capabilities, privileged mounts, or kernel interfaces — the S:C CVSS scope reflects this container escape potential. CISA's KEV addition reflects that specific network management and monitoring applications built on systeminformation were actively exploited by attackers using command injection to achieve RCE on the servers running those applications.

Remediation

1. Update systeminformation to version 5.3.1 or later — run npm update systeminformation or update the version constraint in package.json
2. Audit your application code for any paths that pass user-controlled data as the name parameter to systeminformation functions — these code paths are the injection vectors
3. Apply input validation on all data reaching systeminformation APIs: allowlist expected values (specific process names, interface names) rather than passing arbitrary user input
4. Use npm audit to identify all packages in your dependency tree with known vulnerabilities, including transitive dependencies on outdated systeminformation versions
5. In containerized deployments, review container capabilities and mount points that could allow injected commands to affect the host system
6. Enable process execution monitoring in your Node.js application environment — unexpected child processes spawned by the Node.js runtime indicate command injection