Remote Code Execution Vulnerability in Node.js systeminformation Library on Windows
A critical vulnerability has been identified in the systeminformation library for Node.js, specifically affecting Windows systems. The flaw, tracked as CVE-2025-68154, resides in the fsSize() function, which fails to properly sanitize the drive parameter before concatenating it into a PowerShell command. This oversight allows for OS command injection, enabling attackers to execute arbitrary commands on affected systems if user-controlled input is passed to the vulnerable function. The issue is particularly concerning given the library's widespread use, with over 16 million monthly users potentially at risk.
The vulnerability is remotely exploitable and has been addressed in version 5.27.14 of the library. Security researchers emphasize that the actual risk depends on how applications utilize the fsSize() function; if user input is not passed to this function, the risk is mitigated. Organizations using the systeminformation library on Windows are strongly advised to update to the patched version immediately to prevent exploitation and potential compromise of their systems.
Timeline
Dec 18, 2025
Public reporting highlights potential impact on 16M+ monthly users
Subsequent public reporting emphasized that the Windows RCE risk in the systeminformation package could affect more than 16 million monthly users of the library. The coverage framed the flaw as a significant risk for Node.js deployments using the package on Windows systems.
Dec 16, 2025
systeminformation 5.27.14 released to patch CVE-2025-68154
The vulnerability was patched in systeminformation version 5.27.14, with advisories and patch details made available on GitHub. Users were advised to upgrade to 5.27.14 or later and avoid passing unsanitized user input to fsSize().
Dec 16, 2025
Command injection flaw identified in systeminformation fsSize() on Windows
A high-severity OS command injection vulnerability, tracked as CVE-2025-68154, was identified in the systeminformation Node.js library's fsSize() function on Windows. The issue stems from unsanitized concatenation of the optional drive parameter into a PowerShell command, enabling arbitrary command execution when applications pass user-controlled input.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Windows PowerShell 0-Day Remote Code Execution Vulnerability (CVE-2025-54100)
Microsoft has disclosed a critical 0-day vulnerability in Windows PowerShell, tracked as CVE-2025-54100, which allows attackers to execute arbitrary code on affected systems. The flaw arises from improper neutralization of special elements in PowerShell's command processing, enabling command injection if an attacker can trick a user into running a malicious script or command. Exploitation requires local access and user interaction, but successful attacks can result in privilege escalation and full system compromise, making this vulnerability a significant risk for organizations relying on PowerShell for administration and automation. No official patch is available yet, and Microsoft has urged organizations to apply immediate mitigations and monitor for updates. The vulnerability is rated as 'Important' with a CVSS score of 7.8, and its potential for chaining with other exploits increases its attractiveness to threat actors. Attack vectors include phishing, watering-hole attacks, and supply-chain compromises where PowerShell scripts are abused during software installation or updates. Security teams are advised to remain vigilant and implement recommended mitigations until a patch is released.
1 months ago
Critical Remote Code Execution Vulnerability in Happy DOM JavaScript Library
A critical security vulnerability, tracked as CVE-2025-61927, has been discovered in the Happy DOM JavaScript library, which is widely used for server-side rendering and testing frameworks. The flaw allows attackers to escape the virtual machine (VM) context, potentially leading to remote code execution on affected systems. Happy DOM, with over 2.7 million weekly downloads, is integrated into numerous applications, amplifying the potential impact of this vulnerability. The root cause of the issue lies in improper isolation of the Node.js VM context in Happy DOM versions 19 and earlier, which fails to adequately sandbox untrusted code. Security researcher Mas0nShi identified that attackers can exploit the JavaScript constructor inheritance chain to access the global Function constructor, enabling arbitrary code execution. In environments using the CommonJS module system, attackers can further leverage the require() function to import and execute additional modules, broadening the attack surface. While ECMAScript module (ESM) environments restrict some capabilities, they are still affected by the core VM context escape. The vulnerability has been assigned a CVSS score of 9.4, underscoring its severity and the urgency for remediation. Millions of applications that rely on Happy DOM for testing or server-side rendering are at risk if they have not updated to a patched version. The flaw enables attackers to bypass intended security boundaries, potentially compromising the host system and any sensitive data processed within the affected environment. Security advisories recommend immediate updates to the latest version of Happy DOM to mitigate the risk. Organizations are urged to review their software supply chain for dependencies on Happy DOM and to apply patches as soon as possible. The vulnerability highlights the risks associated with improper sandboxing in JavaScript environments, especially in widely adopted open-source libraries. No reports of active exploitation have been confirmed at this time, but the public disclosure and technical details increase the likelihood of exploitation attempts. Security teams should monitor for suspicious activity related to Node.js processes and review application logs for signs of compromise. The incident serves as a reminder of the importance of rigorous security testing and isolation in libraries that execute untrusted code. Developers and DevOps teams should prioritize dependency management and vulnerability scanning to reduce exposure to similar flaws in the future.
1 months ago
Active Exploitation of Windows Kernel Privilege Escalation Vulnerability CVE-2025-62215
Microsoft has disclosed a critical elevation-of-privilege vulnerability in the Windows Kernel, tracked as CVE-2025-62215, which is being actively exploited in the wild. The flaw arises from a race condition and improper memory management, specifically a double-free scenario, allowing local attackers to escalate privileges to SYSTEM level. Exploitation requires an attacker to already have access to the system, but no user interaction is needed, and the attack can be automated. Microsoft has rated the vulnerability as Important, with a CVSS score of 7.0, and notes that all supported Windows 10 editions are affected, including those under Extended Security Updates (ESU). No workaround is available other than applying the official update, and immediate patching is strongly recommended. The vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-415 (Double Free), making it a classic post-compromise privilege escalation vector. Attackers can exploit the timing-sensitive memory corruption path in the kernel to gain elevated access, disable security defenses, and move laterally within networks. The attack surface is particularly concerning in enterprise environments where multiple users share access, as any authenticated user can potentially trigger the exploit. Security experts warn that both targeted threat actors and ransomware operators may leverage this flaw to deepen their foothold after initial access, emphasizing the urgency of deploying the security update across all affected systems.
1 months ago