Platform
nodejs
Component
systeminformation
Fixed in
5.23.8
CVE-2024-56334 describes a Command Injection vulnerability discovered in the systeminformation Node.js library. This flaw allows attackers to execute arbitrary operating system commands by injecting malicious content into SSIDs. The vulnerability impacts versions of systeminformation up to 5.23.7, and a fix is available in version 5.23.7. Users are strongly advised to upgrade immediately.
The vulnerability arises from insufficient sanitization of SSIDs before they are passed as parameters to cmd.exe within the getWindowsIEEE8021x function. An attacker who can control the SSID value, either directly or indirectly through a compromised system, can inject malicious commands. Successful exploitation could lead to remote code execution (RCE) or local privilege escalation, depending on the context in which the systeminformation package is used. This could allow an attacker to gain control of the affected system, steal sensitive data, or install malware.
This vulnerability was publicly disclosed on December 20, 2024. There are currently no known active campaigns exploiting this specific vulnerability, but the ease of exploitation and potential for RCE suggest it could become a target. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
2.10% (84% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-56334 is to upgrade to version 5.23.7 or later of the systeminformation package. There are no known workarounds for this vulnerability beyond upgrading. If upgrading is not immediately feasible due to compatibility issues or breaking changes, carefully review all code that utilizes the getWindowsIEEE8021x function and implement strict input validation to sanitize SSIDs before they are passed to cmd.exe. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a crafted SSID containing malicious commands; the command should not be executed.
Actualice la biblioteca systeminformation a la versión 5.23.7 o superior. Esto corrige la vulnerabilidad de inyección de comandos en la función getWindowsIEEE8021x (SSID). Ejecute `npm install systeminformation@latest` para actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-56334 is a Command Injection vulnerability in the systeminformation Node.js library, allowing attackers to execute OS commands through unsanitized SSIDs. It affects versions up to 5.23.7.
You are affected if you are using systeminformation version 5.23.7 or earlier. Check your package.json file to determine your version.
Upgrade to version 5.23.7 or later of the systeminformation package using npm install systeminformation@latest. There are no known workarounds.
As of December 2024, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the systeminformation GitHub repository for updates and advisories: https://github.com/systeminformation/systeminformation
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.