Critical severityNVD Advisory· Published Sep 21, 2023· Updated Sep 24, 2024

systeminformation SSID Command Injection Vulnerability

CVE-2023-42810

Description

systeminformation is a System Information Library for Node.JS. Versions 5.0.0 through 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to wifiConnections(), wifiNetworks() (string only).

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
systeminformationnpm	>= 5.0.0, < 5.21.7	5.21.7

Affected products

Sebhildebrandt/Systeminformationv5
Range: >= 5.0.0, < 5.21.7

Patches

7972565812cc

wifi sanitizing ssid names

https://github.com/sebhildebrandt/systeminformationSebastian HildebrandtSep 19, 2023via ghsa

commit

4 files changed · +35 −4

docs/history.html+5 −0 modified

@@ -57,6 +57,11 @@ <h3>Full version history</h3>
                     </tr>
                   </thead>
                   <tbody>
+                    <tr>
+                      <th scope="row">5.21.7</th>
+                      <td>2023-09-19</td>
+                      <td><span class="code">wifiConnections()</span> <span class="code">wifiNetworks()</span>fixed security issue (linux)</td>
+                    </tr>
                     <tr>
                       <th scope="row">5.21.6</th>
                       <td>2023-09-18</td>

docs/index.html+2 −2 modified

@@ -166,11 +166,11 @@
 <body>
   <header class="bg-image-full">
     <div class="top-container">
-      <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.6.13</a>
+      <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.21.7</a>
       <img class="logo" src="assets/logo.png" alt="logo">
       <div class="title">systeminformation</div>
       <div class="subtitle"><span id="typed"></span>&nbsp;</div>
-      <div class="version">New Version: <span id="version">5.21.6</span></div>
+      <div class="version">New Version: <span id="version">5.21.7</span></div>
       <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
     </div>
     <div class="down">

docs/security.html+19 −1 modified

@@ -49,6 +49,24 @@ <h2>Passing User Paramters to Systeminformation</h2>
                 <p class="warning">This can lead to serious impact on your servers!</p>
                 <p>We highly recommend to always upgrade to the latest version of our package. We maintain security updates for version 5 AND also version 4. For version 4 you can install latest version by placing <span class="code">"systeminformation": "^4"</span> in your package.json (dependencies) and run <span class="code">npm install</span></p>
 
+                <h2>SSID Command Injection Vulnerability</h2>
+                <p><span class="bold">Affected versions:</span>
+                  &lt; 5.21.07 and &lt; 4.34.22<br>
+                  <span class="bold">Date:</span> 2023-09-19<br>
+                  <span class="bold">CVE indentifier</span> -
+                </p>
+
+                <h4>Impact</h4>
+                <p>We had an issue that there was a possibility to perform a potential command injection possibility by crafting detected SSIDs in <span class="code">wifiConnections()</span>, <span class="code">wifiNetworks()</span>.</p>
+
+                <h4>Patch</h4>
+                <p>Problem was fixed with parameter checking. Please upgrade to version >= 5.7.21 (or >= 4.34.22 if you are using version 4).</p>
+
+                <h4>Workaround</h4>
+                <p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">wifiConnections()</span>, <span class="code">wifiNetworks()</span> (string only)</p>
+                <hr>
+                <br>
+
                 <h2>Command Injection Vulnerability</h2>
                 <p><span class="bold">Affected versions:</span>
                   &lt; 5.6.13 and &lt; 4.34.21<br>
@@ -255,4 +273,4 @@ <h4>Workaround</h4>
   </script>
 </body>
 
-</html>
\ No newline at end of file
+</html>

lib/wifi.js+9 −1 modified

@@ -549,7 +549,15 @@ function wifiConnections(callback) {
           const wpaDetails = wpaConnectionLinux(ifaceSanitized);
           const ssid = nmiDetails.ssid || wpaDetails.ssid;
           const network = networkList.filter(nw => nw.ssid === ssid);
-          const nmiConnection = nmiConnectionLinux(ssid);
+          let ssidSanitized = '';
+          const t = util.isPrototypePolluted() ? '---' : util.sanitizeShellString(ssid, true);
+          for (let i = 0; i <= util.mathMin(t.length, 2000); i++) {
+            if (t[i] !== undefined) {
+              ssidSanitized = ssidSanitized + t[i];
+            }
+          }
+
+          const nmiConnection = nmiConnectionLinux(ssidSanitized);
           const channel = network && network.length && network[0].channel ? network[0].channel : (wpaDetails.channel ? wpaDetails.channel : null);
           const bssid = network && network.length && network[0].bssid ? network[0].bssid : (wpaDetails.bssid ? wpaDetails.bssid : null);
           if (ssid && bssid) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gx6r-qc2v-3p3vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-42810ghsaADVISORY
github.com/sebhildebrandt/systeminformation/commit/7972565812ccb2a610a22911c54c3446f4171392ghsax_refsource_MISCWEB
github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-gx6r-qc2v-3p3vghsax_refsource_CONFIRMWEB
systeminformation.io/security.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000