NodeJS System Information Library Command Injection (CVE-2021-21315)

high Nessus Plugin ID 164017


The remote host contains a web application framework library that is affected by a command injection vulnerability.


The remote host contains a systeminformation npm module that is prior to 5.3.1. It is, therefore, affected by a command injection vulnerability. The System Information Library for Node.JS (npm package 'systeminformation') is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. The vulnerability was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(),, or si.processLoad()... to only allow strings and reject any arrays. String sanitization works as expected.


Upgrade to the systeminformation module to 5.3.1 or later.

See Also

Plugin Details

Severity: High

ID: 164017

File Name: nodejs_cve-2021-21315.nbin

Version: 1.1

Type: remote

Family: CGI abuses

Published: 8/10/2022

Updated: 8/10/2022

Risk Information

CVSS Score Rationale: Tenable confirms the access vector is network, not local


Risk Factor: High

Score: 7.4


Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: manual


Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/14/2022

Vulnerability Publication Date: 2/14/2022

Reference Information

CVE: CVE-2021-21315