GHSA-9c88-49p5-5ggf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9c88-49p5-5ggf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-9c88-49p5-5ggf/GHSA-9c88-49p5-5ggf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9c88-49p5-5ggf
- Aliases
- Downstream
- Related
- Published
- 2026-02-18T21:51:26Z
- Modified
- 2026-02-19T22:59:13.128260Z
- Severity
-
- 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
- Details
-
Summary
A command injection vulnerability in the
wifiNetworks()function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.Details
In
lib/wifi.js, thewifiNetworks()function sanitizes theifaceparameter on the initial call (line 437). However, when the initial scan returns empty results, asetTimeoutretry (lines 440-441) callsgetWifiNetworkListIw(iface)with the original unsanitizedifacevalue, which is passed directly toexecSync('iwlist ${iface} scan').PoC
- Install
systeminformation@5.30.7 - Call
si.wifiNetworks('eth0; id') - The first call sanitizes input, but if results are empty, the retry executes:
iwlist eth0; id scan
Impact
Remote Code Execution (RCE). Any application passing user-controlled input to
si.wifiNetworks()is vulnerable to arbitrary command execution with the privileges of the Node.js process. - Install
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-78" ], "github_reviewed_at": "2026-02-18T21:51:26Z", "nvd_published_at": "2026-02-19T20:25:43Z", "severity": "HIGH" }- References
Affected packages
npm / systeminformation
Package
- Name
- systeminformation
- View open source insights on deps.dev
- Purl
- pkg:npm/systeminformation