Skip to content

Prototype Pollution in systeminformation

Moderate severity GitHub Reviewed Published Nov 27, 2020 in sebhildebrandt/systeminformation • Updated Jan 9, 2023

Package

npm systeminformation (npm)

Affected versions

< 4.30.5

Patched versions

4.30.5

Description

Impact

command injection vulnerability by prototype pollution

Patches

Problem was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. Please upgrade to version >= 4.30.2

Workarounds

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite()

For more information

If you have any questions or comments about this advisory:

References

@sebhildebrandt sebhildebrandt published to sebhildebrandt/systeminformation Nov 27, 2020
Reviewed Nov 27, 2020
Published to the GitHub Advisory Database Nov 27, 2020
Last updated Jan 9, 2023

Severity

Moderate

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(56th percentile)

Weaknesses

CVE ID

CVE-2020-26245

GHSA ID

GHSA-4v2w-h9jm-mqjg

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.