{"api_version":"1","generated_at":"2026-04-29T22:21:42+00:00","cve":"CVE-2021-21315","urls":{"html":"https://cve.report/CVE-2021-21315","api":"https://cve.report/api/cve/CVE-2021-21315.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-21315","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-21315"},"summary":{"title":"CVE-2021-21315","description":"The System Information Library for Node.JS (npm package \"systeminformation\") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-02-16 17:15:00","updated_at":"2023-11-07 03:29:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v","name":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Command Injection Vulnerability · Advisory · sebhildebrandt/systeminformation · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525","name":"https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"docker, processLoad fixed potential security issue · sebhildebrandt/systeminformation@07daa05 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3E","name":"[cordova-issues] 20210224 [GitHub] [cordova-cli] iva2k opened a new issue #549: update systeminformation package to >=5.3.1","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20210312-0007/","name":"https://security.netapp.com/advisory/ntap-20210312-0007/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-21315 Node.JS Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.npmjs.com/package/systeminformation","name":"https://www.npmjs.com/package/systeminformation","refsource":"MISC","tags":["Product","Third Party Advisory"],"title":"systeminformation  -  npm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E","name":"[cordova-issues] 20210224 [GitHub] [cordova-cli] iva2k opened a new issue #549: update systeminformation package to >=5.3.1","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-21315","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21315","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"21315","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"cordova","cpe6":"10.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"-","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21315","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"cordova","cpe6":"10.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"-","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21315","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"systeminformation","cpe5":"systeminformation","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21315","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"systeminformation","cpe5":"systeminformation","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2021","cve_id":"21315","cve":"CVE-2021-21315","vendorProject":"Npm package","product":"System Information Library for Node.JS","vulnerabilityName":"System Information Library for Node.JS Command Injection","dateAdded":"2022-01-18","shortDescription":"In this vulnerability, an attacker can send a malicious payload that will exploit the name parameter. After successful exploitation, attackers can execute remote.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2022-02-01","knownRansomwareCampaignUse":"Unknown","notes":"https://nvd.nist.gov/vuln/detail/CVE-2021-21315","cwes":"CWE-78","catalogVersion":"2026.04.28","updated_at":"2026-04-28 17:34:35"},"epss":{"cve_year":"2021","cve_id":"21315","cve":"CVE-2021-21315","epss":"0.939600000","percentile":"0.998880000","score_date":"2026-04-28","updated_at":"2026-04-29 00:07:43"},"legacy_qids":[{"cve":"CVE-2021-21315","qid":"150503","title":"NodeJS Command Injection Vulnerability (CVE-2021-21315)"},{"cve":"CVE-2021-21315","qid":"982907","title":"Nodejs (npm) Security Update for systeminformation (GHSA-2m8v-572m-ff2v)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-21315","STATE":"PUBLIC","TITLE":"Command Injection Vulnerability"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"systeminformation","version":{"version_data":[{"version_value":"< 5.3.1"}]}}]},"vendor_name":"sebhildebrandt"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The System Information Library for Node.JS (npm package \"systeminformation\") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]},"references":{"reference_data":[{"name":"https://www.npmjs.com/package/systeminformation","refsource":"MISC","url":"https://www.npmjs.com/package/systeminformation"},{"name":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v","refsource":"CONFIRM","url":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v"},{"name":"https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525","refsource":"MISC","url":"https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525"},{"refsource":"MLIST","name":"[cordova-issues] 20210224 [GitHub] [cordova-cli] iva2k opened a new issue #549: update systeminformation package to >=5.3.1","url":"https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210312-0007/","url":"https://security.netapp.com/advisory/ntap-20210312-0007/"}]},"source":{"advisory":"GHSA-2m8v-572m-ff2v","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-02-16 17:15:00","lastModifiedDate":"2023-11-07 03:29:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:P/I:P/A:P","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":4.6},"severity":"MEDIUM","exploitabilityScore":3.9,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*","versionEndExcluding":"5.3.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:cordova:10.0.0:*:*:*:*:-:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"21315","Ordinal":"195441","Title":"CVE-2021-21315","CVE":"CVE-2021-21315","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"21315","Ordinal":"1","NoteData":"The System Information Library for Node.JS (npm package \"systeminformation\") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"21315","Ordinal":"2","NoteData":"2021-02-16","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"21315","Ordinal":"3","NoteData":"2021-03-12","Type":"Other","Title":"Modified"}]}}}