CVE-2024-56334
Description
systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the getWindowsIEEE8021x function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
systeminformation library fails to sanitize SSIDs, allowing command injection via cmd.exe, potentially leading to RCE or LPE.
Vulnerability
Overview The getWindowsIEEE8021x function in the systeminformation library for Node.js does not sanitize SSID strings before passing them as parameters to cmd.exe. This omission allows an attacker to inject arbitrary OS commands through a crafted SSID. The root cause is insufficient input validation [1].
Exploitation
An attacker can exploit this vulnerability by making the library process a malicious SSID. This can happen when the function is called to retrieve Wi-Fi profiles that include an SSID controlled by an attacker, for example, by connecting to a rogue access point or via network scanning. No authentication is required for the command injection if the library processes the SSID [1].
Impact
Successful exploitation enables an attacker to execute arbitrary commands on the target system with the privileges of the Node.js application. This can lead to remote code execution (RCE) or local privilege escalation (LPE), depending on the deployment context [1].
Mitigation
The issue has been addressed in systeminformation version 5.23.7. All users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
systeminformationnpm | < 5.23.7 | 5.23.7 |
Affected products
3v3.42.5, v3.42.6, v3.42.7, …+ 1 more
- (no CPE)range: v3.42.5, v3.42.6, v3.42.7, …
- (no CPE)range: <5.23.7
Patches
2efcb478420c3f7af0a67b78enetworkInterfaces() sanitizing SSID names (windows)
4 files changed · +20 −4
CHANGELOG.md+1 −0 modified@@ -90,6 +90,7 @@ For major (breaking) changes - **version 4, 3 and 2** - see end of page. | Version | Date | Comment | | ------- | ---------- | --------------------------------------------------------------------------------------------------- | +| 5.23.7 | 2024-12-09 | `networkInterfaces()` sanitizing SSID names (windows) | | 5.23.6 | 2024-12-08 | `system()` added Raspberry CM5 detection | | 5.23.5 | 2024-08-21 | `processLoad()` fixed * process list (linux) | | 5.23.4 | 2024-08-06 | `baseboard()` `chassis()` cleaned defaults (linux) |
docs/history.html+5 −0 modified@@ -57,6 +57,11 @@ <h3>Full version history</h3> </tr> </thead> <tbody> + <tr> + <th scope="row">5.23.7</th> + <td>2024-12-09</td> + <td><span class="code">networkInterfaces()</span> sanitizing SSID names (windows)</td> + </tr> <tr> <th scope="row">5.23.6</th> <td>2024-12-08</td>
docs/index.html+1 −1 modified@@ -170,7 +170,7 @@ <img class="logo" src="assets/logo.png" alt="logo"> <div class="title">systeminformation</div> <div class="subtitle"><span id="typed"></span> </div> - <div class="version">New Version: <span id="version">5.23.6</span></div> + <div class="version">New Version: <span id="version">5.23.7</span></div> <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button> </div> <div class="down">
lib/network.js+13 −3 modified@@ -348,7 +348,7 @@ function getWindowsWirelessIfaceSSID(interfaceName) { try { const result = execSync(`netsh wlan show interface name="${interfaceName}" | findstr "SSID"`, util.execOptsWin); const SSID = result.split('\r\n').shift(); - const parseSSID = SSID.split(':').pop(); + const parseSSID = SSID.split(':').pop().trim(); return parseSSID; } catch (error) { return 'Unknown'; @@ -400,8 +400,18 @@ function getWindowsIEEE8021x(connectionType, iface, ifaces) { try { const SSID = getWindowsWirelessIfaceSSID(iface); if (SSID !== 'Unknown') { - i8021xState = execSync(`netsh wlan show profiles "${SSID}" | findstr "802.1X"`, util.execOptsWin); - i8021xProtocol = execSync(`netsh wlan show profiles "${SSID}" | findstr "EAP"`, util.execOptsWin); + + let ifaceSanitized = ''; + const s = util.isPrototypePolluted() ? '---' : util.sanitizeShellString(SSID); + const l = util.mathMin(s.length, 2000); + + for (let i = 0; i <= l; i++) { + if (s[i] !== undefined) { + ifaceSanitized = ifaceSanitized + s[i]; + } + } + i8021xState = execSync(`netsh wlan show profiles "${ifaceSanitized}" | findstr "802.1X"`, util.execOptsWin); + i8021xProtocol = execSync(`netsh wlan show profiles "${ifaceSanitized}" | findstr "EAP"`, util.execOptsWin); } if (i8021xState.includes(':') && i8021xProtocol.includes(':')) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.