Moderate severityNVD Advisory· Published Dec 16, 2020· Updated Aug 4, 2024
Command Injection Vulnerability in systeminformation
CVE-2020-26274
Description
In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
systeminformationnpm | < 4.31.1 | 4.31.1 |
Affected products
1- Range: < 4.31.1
Patches
11faadcbf68f1inetLatency() command injection vulnaribility fix
5 files changed · +27 −2
CHANGELOG.md+1 −0 modified@@ -30,6 +30,7 @@ For major (breaking) changes - version 3 and 2 see end of page. | Version | Date | Comment | | -------------- | -------------- | -------- | +| 4.31.1 | 2020-12-11 | `inetLatency()` command injection vulnaribility fix | | 4.31.0 | 2020-12-06 | `osInfo()` added FQDN | | 4.30.11 | 2020-12-02 | `cpu()` bug fix speed parsing | | 4.30.10 | 2020-12-01 | `cpu()` handled speed parsing error (Apple Silicon) |
docs/history.html+5 −0 modified@@ -83,6 +83,11 @@ <h3>Full version history</h3> </tr> </thead> <tbody> + <tr> + <th scope="row">4.31.1</th> + <td>2020-12-06</td> + <td><span class="code">inetLatency()</span> command injection vulnaribility fix</td> + </tr> <tr> <th scope="row">4.31.0</th> <td>2020-12-06</td>
docs/index.html+2 −2 modified@@ -165,11 +165,11 @@ <body> <header class="bg-image-full"> <div class="container"> - <a href="security.html" class="recommendation">Security advisory:<br>Update to v4.30.5</a> + <a href="security.html" class="recommendation">Security advisory:<br>Update to v4.31.1</a> <img class="logo" src="assets/logo.png"> <div class="title">systeminformation</div> <div class="subtitle"><span id="typed"></span></div> - <div class="version">Current Version: <span id="version">4.31.0</span></div> + <div class="version">Current Version: <span id="version">4.31.1</span></div> <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button> </div> <div class="down">
docs/security.html+17 −0 modified@@ -42,6 +42,23 @@ <div class="col-12 sectionheader"> <div class="title">Security Advisories</div> <div class="text"> + <h2>Command Injection Vulnerability</h2> + <p><span class="bold">Affected versions:</span> + < 4.31.1<br> + <span class="bold">Date:</span> 2020-12-11<br> + <span class="bold">CVE indentifier</span> (not yet) + </p> + + <h4>Impact</h4> + <p>Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: <span class="code">inetLatency()</span>.</p> + + <h4>Patch</h4> + <p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.31.1</p> + + <h4>Workarround</h4> + <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span></p> + + <h2>command injection vulnerability - prototype pollution</h2> <p><span class="bold">Affected versions:</span> < 4.30.5<br>
lib/util.js+2 −0 modified@@ -521,6 +521,8 @@ function sanitizeShellString(str) { s[i] === '\\' || s[i] === '\t' || s[i] === '\n' || + s[i] === '\'' || + s[i] === '`' || s[i] === '"')) { result = result + s[i]; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-m57p-p67h-mq74ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26274ghsaADVISORY
- github.com/sebhildebrandt/systeminformation/commit/1faadcbf68f1b1fdd5eb2054f68fc932be32ac99ghsax_refsource_MISCWEB
- github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-m57p-p67h-mq74ghsax_refsource_CONFIRMWEB
- www.npmjs.com/advisories/1590ghsaWEB
- www.npmjs.com/package/systeminformationghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.