KEVIntel

Vulnerability detail

Enriched intelligence for a single CVE

Back to KEVs

7.1

CVSS
High

CVE-2021-21315

PUBLISHED

Command Injection Vulnerability

Exploited in the wild Low complexity No user interaction

Vendor: sebhildebrandt
Product: systeminformation
Published: Feb 16, 2021
EPSS: —

Description

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

nodejs cisa nuclei_scanner

CVSS scores

CVSS v3.1 7.1 High

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Exploitation status

Exploited in the wild

Recorded 2022-01-18 00:00:00 UTC · Source

SSVC decision points

Exploitation: active
Automatable: No
Technical impact: partial

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Jan 18, 2022
CISA	Jan 18, 2022

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21315.yaml	Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

alikarimi999/CVE-2021-21315

github · Created 2021-09-07 14:31:20 UTC · 4 stars

ForbiddenProgrammer/CVE-2021-21315-PoC

github · Created 2021-03-01 18:52:41 UTC · 156 stars

CVE 2021-21315 PoC

Timeline

CVE ID Reserved

December 22, 2020
CVE Published to Public

February 16, 2021
Added to KEVIntel

January 18, 2022
Added to KEVIntel

January 18, 2022
Detected by Nuclei

April 25, 2025