A severe security vulnerability, tracked as CVE-2024-56334, has been discovered in the popular Node.js package “systeminformation,” which is widely used for gathering system-related information. This vulnerability affects versions up to and including 5.23.6, a package that boasts over 8 million monthly downloads and more than 330 million total downloads. The flaw lies in a command injection vulnerability within the getWindowsIEEE8021x function, which retrieves network SSID information. Due to improper sanitization of the SSID before being passed as a parameter to cmd.exe, attackers can inject malicious commands into the SSID field.
Exploitation of this vulnerability could lead to remote code execution (RCE) or local privilege escalation on affected systems. By embedding malicious commands in the SSID of a Wi-Fi network, an attacker could execute arbitrary commands on a vulnerable system when the getWindowsIEEE8021x function is invoked. A proof of concept demonstrates that this flaw can be exploited in two ways: executing a ping command indefinitely or running an arbitrary executable with elevated privileges. Both attacks can be triggered simply by connecting to a maliciously crafted Wi-Fi network.
The maintainers of “systeminformation” have already addressed the issue in version 5.23.7. Users are strongly encouraged to update to the latest version to protect their systems from potential attacks. For developers who are unable to upgrade immediately, a temporary workaround involves manually sanitizing parameters passed to certain functions, such as si.inetLatency(), si.inetChecksite(), si.services(), and si.processLoad(). While this is a suitable short-term measure, updating to the patched version is recommended for comprehensive security.
This discovery highlights the ongoing security challenges within the npm ecosystem and the potential risks associated with the widespread use of open-source packages. Developers are urged to prioritize security by regularly updating their dependencies, monitoring security advisories, and implementing proper input sanitization when working with system-level commands. As the Node.js ecosystem continues to grow, maintaining vigilance and conducting thorough security audits of third-party packages is essential to mitigate the risks posed by vulnerabilities like CVE-2024-56334.