VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 27, 2020· Updated Aug 4, 2024

Prototype Pollution leading to Command Injection in systeminformation

CVE-2020-26245

Description

npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
systeminformationnpm
< 4.30.54.30.5

Affected products

1

Patches

1
8113ff0e87b2

adapted security update (prototype pollution prevention)

https://github.com/sebhildebrandt/systeminformationSebastian HildebrandtNov 26, 2020via ghsa
commit
8 files changed · +47 7
  • CHANGELOG.md+1 0 modified
    @@ -30,6 +30,7 @@ For major (breaking) changes - version 3 and 2 see end of page.
 
 | Version        | Date           | Comment  |
 | -------------- | -------------- | -------- |
+| 4.30.5         | 2020-11-26     | adapted security update (prototype pollution prevention) |
 | 4.30.4         | 2020-11-25     | reverted Object.freeze because it broke some projects |
 | 4.30.3         | 2020-11-25     | security update (prototype pollution prevention) Object.freeze |
 | 4.30.2         | 2020-11-25     | security update (prototype pollution prevention) |
  • docs/history.html+5 0 modified
    @@ -83,6 +83,11 @@ <h3>Full version history</h3>
                   </tr>
                 </thead>
                 <tbody>
+                  <tr>
+                    <th scope="row">4.30.5</th>
+                    <td>2020-11-26</td>
+                    <td>adapted security update (prototype pollution prevention)</td>
+                  </tr>
                   <tr>
                     <th scope="row">4.30.4</th>
                     <td>2020-11-25</td>
  • docs/index.html+1 1 modified
    @@ -168,7 +168,7 @@
       <img class="logo" src="assets/logo.png">
       <div class="title">systeminformation</div>
       <div class="subtitle"><span id="typed"></span></div>
-      <div class="version">Current Version: <span id="version">4.30.4</span></div>
+      <div class="version">Current Version: <span id="version">4.30.5</span></div>
       <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
     </div>
     <div class="down">
  • lib/index.js+0 3 modified
    @@ -21,9 +21,6 @@
 // Dependencies
 // ----------------------------------------------------------------------------------
 
-// Object.freeze(String.prototype);
-// Object.freeze(Object.prototype);
-
 const lib_version = require('../package.json').version;
 const util = require('./util');
 const system = require('./system');
  • lib/internet.js+1 0 modified
    @@ -40,6 +40,7 @@ function inetChecksite(url, callback) {
           s[i] === ' ' ||
           s[i] === '{' ||
           s[i] === '}')) {
+          s[i].__proto__.toLowerCase = util.stringToLower;
           const sl = s[i].toLowerCase();
           if (sl && sl[0] && !sl[1]) {
             urlSanitized = urlSanitized + sl[0];
  • lib/network.js+7 2 modified
    @@ -1040,8 +1040,13 @@ function networkStatsSingle(iface) {
 
   return new Promise((resolve) => {
     process.nextTick(() => {
-
-      const ifaceSanitized = util.isPrototypePolluted() ? '---' : util.sanitizeShellString(iface);
+      let ifaceSanitized = '';
+      const s = util.isPrototypePolluted() ? '---' : util.sanitizeShellString(iface);
+      for (let i = 0; i <= 2000; i++) {
+        if (!(s[i] === undefined)) {
+          ifaceSanitized = ifaceSanitized + s[i];
+        }
+      }
 
       let result = {
         iface: ifaceSanitized,
  • lib/processes.js+12 1 modified
    @@ -98,7 +98,18 @@ function services(srv, callback) {
   return new Promise((resolve) => {
     process.nextTick(() => {
       if (srv) {
-        let srvString = util.sanitizeShellString(srv);
+        let srvString = '';
+        srvString.__proto__.toLowerCase = util.stringToLower;
+        srvString.__proto__.replace = util.stringReplace;
+        srvString.__proto__.trim = util.stringTrim;
+
+        const s = util.sanitizeShellString(srv);
+        for (let i = 0; i <= 2000; i++) {
+          if (!(s[i] === undefined)) {
+            srvString = srvString + s[i];
+          }
+        }
+
         srvString = srvString.trim().toLowerCase().replace(/, /g, '|').replace(/,+/g, '|');
         if (srvString === '') {
           srvString = '*';
  • lib/util.js+20 0 modified
    @@ -48,6 +48,13 @@ function toInt(value) {
   return result;
 }
 
+
+const stringReplace = new String().replace;
+const stringToLower = new String().toLowerCase;
+const stringToString = new String().toString;
+const stringSubstr = new String().substr;
+const stringTrim = new String().trim;
+
 function isFunction(functionToCheck) {
   let getType = {};
   return functionToCheck && getType.toString.call(functionToCheck) === '[object Function]';
@@ -523,6 +530,12 @@ function isPrototypePolluted() {
   const s = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
   let notPolluted = true;
   let st = '';
+
+  st.__proto__.replace = stringReplace;
+  st.__proto__.toLowerCase = stringToLower;
+  st.__proto__.toString = stringToString;
+  st.__proto__.substr = stringSubstr;
+
   notPolluted = notPolluted || !(s.length === 62)
   const ms = Date.now();
   if (typeof ms === 'number' && ms > 1600000000000) {
@@ -542,6 +555,7 @@ function isPrototypePolluted() {
     // string manipulation
     let p = Math.random() * l * 0.9999999999;
     let stm = st.substr(0, p) + ' ' + st.substr(p, 2000);
+    stm.__proto__.replace = stringReplace;
     let sto = stm.replace(/ /g, '');
     notPolluted = notPolluted && st === sto;
     p = Math.random() * l * 0.9999999999;
@@ -562,6 +576,7 @@ function isPrototypePolluted() {
     notPolluted = notPolluted && (stl.length === l) && stl[l - 1] && !(stl[l])
     for (let i = 0; i < l; i++) {
       const s1 = st[i];
+      s1.__proto__.toLowerCase = stringToLower;
       const s2 = stl ? stl[i] : '';
       const s1l = s1.toLowerCase();
       notPolluted = notPolluted && s1l[0] === s2 && s1l[0] && !(s1l[1]);
@@ -806,3 +821,8 @@ exports.isRaspbian = isRaspbian;
 exports.sanitizeShellString = sanitizeShellString;
 exports.isPrototypePolluted = isPrototypePolluted;
 exports.decodePiCpuinfo = decodePiCpuinfo;
+exports.stringReplace = stringReplace;
+exports.stringToLower = stringToLower;
+exports.stringToString = stringToString;
+exports.stringSubstr = stringSubstr;
+exports.stringTrim = stringTrim;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.