VYPR
← All advisories
High severityNVD Advisory· Published Oct 26, 2020· Updated Sep 17, 2024

Command Injection

CVE-2020-7752

Description

This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection in systeminformation npm package before 4.27.11 allows arbitrary OS command execution via crafted curl parameters.

Vulnerability

Description The vulnerability is a command injection flaw in the inetChecksite() function of the systeminformation npm package (versions <4.27.11). The function constructs a shell command using user-supplied parameters (e.g., a URL or service string) without proper sanitization. This allows an attacker to inject additional arguments to the curl command, leading to arbitrary command execution [2].

Exploitation

An attacker can exploit this by passing a malicious string (e.g., a URL containing -o overwrite flags or --exec commands) as the service parameter. No authentication is required if the application passes untrusted input directly to si.inetChecksite(). The injected curl arguments can overwrite JavaScript files or execute OS commands on the server [4].

Impact

Successful exploitation enables the attacker to overwrite arbitrary files (e.g., JavaScript files) within the Node.js application's context, leading to remote code execution. This can result in full compromise of the server, including data theft, service disruption, or further lateral movement.

Mitigation

The issue is fixed in version 4.27.11 and later. Users should upgrade immediately. As a workaround, if upgrading is not possible, sanitize all user inputs that are passed to the inetChecksite() function, ensuring no shell metacharacters or additional arguments can be injected [4].

References
  1. NVD - CVE-2020-7752
  2. command injection vulnerability

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
systeminformationnpm
< 4.27.114.27.11

Affected products

2

Patches

1
931fecaec2c1

inetChecksite() fixed vulnerability: command injection

https://github.com/sebhildebrandt/systeminformationSebastian HildebrandtOct 26, 2020via ghsa
commit
4 files changed · +14 2
  • CHANGELOG.md+1 0 modified
    @@ -30,6 +30,7 @@ For major (breaking) changes - version 3 and 2 see end of page.
 
 | Version        | Date           | Comment  |
 | -------------- | -------------- | -------- |
+| 4.27.11        | 2020-10-26     | `inetChecksite()` fixed vulnerability: command injection |
 | 4.27.10        | 2020-10-16     | `dockerContainers()` resolved hanging issue |
 | 4.27.9         | 2020-10-13     | `networkInterfaces()` loopback internal detection (windows) |
 | 4.27.8         | 2020-10-08     | windows codepages partial fix |
  • docs/history.html+5 0 modified
    @@ -83,6 +83,11 @@ <h3>Full version history</h3>
                   </tr>
                 </thead>
                 <tbody>
+                  <tr>
+                    <th scope="row">4.27.11</th>
+                    <td>2020-10-26</td>
+                    <td><span class="code">inetChecksite()</span> fixed vulnerability: command injection</td>
+                  </tr>
                   <tr>
                     <th scope="row">4.27.10</th>
                     <td>2020-10-16</td>
  • docs/index.html+1 1 modified
    @@ -168,7 +168,7 @@
       <img class="logo" src="assets/logo.png">
       <div class="title">systeminformation</div>
       <div class="subtitle"><span id="typed"></span></div>
-      <div class="version">Current Version: <span id="version">4.27.10</span></div>
+      <div class="version">Current Version: <span id="version">4.27.11</span></div>
       <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
     </div>
     <div class="down">
  • lib/internet.js+7 1 modified
    @@ -34,7 +34,13 @@ function inetChecksite(url, callback) {
   return new Promise((resolve) => {
     process.nextTick(() => {
 
-      const urlSanitized = util.sanitizeShellString(url).toLowerCase();
+      let urlSanitized = util.sanitizeShellString(url).toLowerCase();
+      urlSanitized = urlSanitized.replace(/ /g, '');
+      urlSanitized = urlSanitized.replace(/\$/g, '');
+      urlSanitized = urlSanitized.replace(/\(/g, '');
+      urlSanitized = urlSanitized.replace(/\)/g, '');
+      urlSanitized = urlSanitized.replace(/{/g, '');
+      urlSanitized = urlSanitized.replace(/}/g, '');
       let result = {
         url: urlSanitized,
         ok: false,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.