A command injection vulnerability was found in the popular Node.js systeminformation library, which was downloaded over 34,000,000 times in total. The issue received the ID CVE-2021-21315.

The systeminformation library allows developers to retrieve system information related to the processor and other components, battery, network, various services and system processes.

Vulnerability CVE-2021-21315 could allow a potential attacker to execute system commands. The bug was fixed in version 5.3.1.

All systeminformation users are advised to upgrade to version 5.3.1 and above as soon as possible. If this is not possible for some reason, the npm security team has issued a security advisory that describes workarounds.

Source: xakep.ru