CVE-2025-68154 is an OS command injection vulnerability classified under CWE-78 affecting the systeminformation library for Node.js, specifically versions before 5.27.14. The vulnerability arises in the fsSize() function, which retrieves filesystem size information on Windows systems by executing PowerShell commands. The function accepts an optional drive parameter that is directly concatenated into a PowerShell command string without proper sanitization or escaping. If an application passes user-controlled input to this parameter, an attacker can inject arbitrary PowerShell commands, leading to remote code execution. The vulnerability is exploitable remotely without authentication or user interaction, as the library is typically used in backend services. The CVSS 3.1 score of 8.1 reflects high impact on confidentiality, integrity, and availability, with network attack vector and high attack complexity. The exploitability depends on how the fsSize() function is used by applications; if no user input reaches this function, the risk is mitigated. The vulnerability was publicly disclosed on December 16, 2025, and fixed in systeminformation version 5.27.14. No known exploits in the wild have been reported yet. This vulnerability is critical for Node.js applications running on Windows that use systeminformation for system metrics and do not sanitize input to fsSize().

For European organizations, this vulnerability poses a significant risk especially for those running Node.js applications on Windows servers that utilize the systeminformation library for system monitoring or diagnostics. Successful exploitation can lead to arbitrary code execution, allowing attackers to compromise system confidentiality by accessing sensitive data, integrity by modifying system or application data, and availability by disrupting services or deploying ransomware. This can result in data breaches, operational downtime, and potential regulatory non-compliance under GDPR due to unauthorized access or data loss. Organizations in sectors with critical infrastructure, finance, healthcare, and government services are particularly at risk due to the potential impact on service continuity and data sensitivity. The vulnerability’s exploitation does not require authentication or user interaction, increasing the attack surface. However, the attack complexity is high, requiring knowledge of the vulnerable function’s usage and the ability to supply crafted input. The absence of known exploits in the wild suggests a window for proactive mitigation. Failure to patch or audit usage could lead to targeted attacks leveraging this vulnerability.

European organizations should immediately upgrade the systeminformation library to version 5.27.14 or later to apply the official patch. Additionally, developers must audit all codebases to identify any usage of the fsSize() function, particularly where the drive parameter may receive user input. Input validation and sanitization should be enforced rigorously, rejecting or safely escaping any untrusted input before passing it to fsSize(). Where possible, avoid passing user-controlled data to this function altogether. Implement runtime application self-protection (RASP) or Web Application Firewalls (WAFs) with rules to detect and block suspicious PowerShell command patterns. Employ strict access controls and network segmentation to limit exposure of vulnerable services. Conduct penetration testing focusing on injection vectors in systeminformation usage. Maintain up-to-date logging and monitoring to detect anomalous command execution attempts. Finally, educate developers on secure coding practices related to command injection and the risks of unsanitized input in system-level calls.