VYPR
High severityCISA KEVNVD Advisory· Published Feb 16, 2021· Updated Oct 21, 2025

Command Injection Vulnerability

CVE-2021-21315

Description

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
systeminformationnpm
< 5.3.15.3.1

Affected products

2

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.