Heavily Used Node.js Package Has a Code Injection Vulnerability

by
Fnord666
from SoylentNews on (#5ERH7)

upstart writes in with an IRC submission for SoyCow639:

Heavily used Node.js package has a code injection vulnerability:

A heavily downloaded Node.js library has a high severity command injection vulnerability revealed this month.

Tracked as CVE-2021-21315, the bug impacts the "systeminformation" npm component which gets about 800,000 weekly downloads and has scored close to 34 million downloads to date since its inception.

Put simply, "systeminformation" is a lightweight Node.js library that developers can include in their project to retrieve system information related to CPU, hardware, battery, network, services, and system processes.

[...] "This library is still work in progress. It is supposed to be used as a backend/server-side library (will definitely not work within a browser)," states the developer behind the component.

However, the presence of the code injection flaw within "systeminformation" meant an attacker could execute system commands by carefully injecting payload within the unsanitized parameters used by the component.

[...] Users of "systeminformation" should upgrade to versions 5.3.1 and above to resolve the CVE-2021-21315 vulnerability in their application.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments