Popular Node.js package library systeminformation has recently patched a severe command injection vulnerability in the repository that could have left applications jeopardized.

Systeminformation is a lightweight collection of functions that retrieves detailed system, hardware, and operating system information from servers that host Node.js package applications. The repository has about 850,000 weekly downloads on NPM, the main online library for Node.js packages.

Command injection vulnerabilities in Node.js package systems:

To the unaware, a command injection is a type of vulnerability that permits bad actors to execute arbitrary OS commands on the server, where the application is operating. When applications make use of scripts that execute shell commands in the background, the application is at risk of command injection vulnerabilities. 

The bad actors then manipulate applications to dispatch system-level commands to the host server.

According to cybersecurity experts, the Node.js package repository system information should not be generally utilized in conjunction with user input. Rather, it is a package deliberated to be used at the backend.

However, it is observed that in some use cases, system developers and maintainers facilitate some of the repository’s Node.js package functions to the end-users. This enables the passing of parameters that will then be forwarded to the system information package.

As for the vulnerabilities in the node.js package of system information, four of the function in the repository were detected to be vulnerable to command injection attacks.

According to researchers, the command injection vulnerability was due to a special peculiar case of unconventional parameter checking and array sanitation.

If the inputs were not sanitized and users had the ability to pass a parameter as a JavaScript array to the functions, there was a potential of implementing detrimental code like a DoS i.e Denial of Service on the systems operating on Node.js packages of system information.

However, string input remained unaffected by the command injection vulnerability.

Patching the Node.js package vulnerability of systeminformation:

The command injection vulnerability has a ‘moderate’ rating or classification on GitHub.

The maintainers of system information patched up the Node.js package vulnerability in the latest version of system information and have recommended developers update the existing versions to the foremost one. 

A provision of the names of the vulnerable functions has been supplemented by system information and advises to perform manual sanitation of parameters. This kind of workaround check can be used in cases where developers utilizing the library cannot update to the latest version of system information.