CVE-2025-68154 is an OS command injection vulnerability classified under CWE-78 found in the systeminformation library for Node.js, a popular tool for retrieving system and OS information. The vulnerability exists in the fsSize() function on Windows platforms in versions prior to 5.27.14. The issue arises because the optional 'drive' parameter is concatenated directly into a PowerShell command string without any sanitization or validation. This allows an attacker who can influence the input to the 'drive' parameter to inject arbitrary PowerShell commands, leading to remote code execution. The exploitability depends on whether the application using systeminformation passes user-controlled input to fsSize(). If the input is controlled by an attacker, they can execute arbitrary commands with the privileges of the Node.js process. The vulnerability does not require authentication or user interaction, increasing its risk. The CVSS v3.1 score of 8.1 reflects high impact on confidentiality, integrity, and availability, but the attack complexity is high due to the need to influence the input parameter. The vulnerability was publicly disclosed on December 16, 2025, and fixed in version 5.27.14 of the library. No known exploits have been reported in the wild yet. Organizations using systeminformation on Windows should upgrade immediately and audit their code to ensure no untrusted input reaches fsSize().

For European organizations, this vulnerability poses a significant risk especially for those running Node.js applications on Windows servers that utilize the systeminformation library. Successful exploitation can lead to full system compromise, allowing attackers to execute arbitrary commands, potentially leading to data theft, service disruption, or lateral movement within networks. This can impact confidentiality by exposing sensitive data, integrity by allowing unauthorized changes, and availability by disrupting services. Critical infrastructure, financial institutions, and enterprises with Windows-based Node.js environments are particularly vulnerable. Since the vulnerability requires no authentication or user interaction, it could be exploited remotely if the application exposes the vulnerable function to attacker-controlled input. The lack of known exploits currently provides a window for proactive mitigation, but the high CVSS score indicates that impact would be severe if exploited.

1. Immediately upgrade the systeminformation library to version 5.27.14 or later where the vulnerability is patched. 2. Conduct a thorough code review to identify all usages of the fsSize() function and verify that no user-controlled input is passed to the 'drive' parameter. 3. Implement strict input validation and sanitization for any parameters that influence system commands, especially those passed to PowerShell or shell commands. 4. Employ application-level security controls such as Web Application Firewalls (WAFs) to detect and block suspicious command injection patterns. 5. Restrict the privileges of Node.js processes to minimize impact if exploitation occurs, following the principle of least privilege. 6. Monitor logs for unusual PowerShell command executions or unexpected systeminformation library calls. 7. Educate developers about secure coding practices related to command execution and parameter handling. 8. If upgrading immediately is not possible, consider isolating affected applications or disabling features that invoke fsSize() with external input until patched.