Node.js systeminformation Package Enables RCE Attacks

A critical command injection vulnerability in the systeminformation npm package, CVE-2024-56334, exposes millions of systems to RCE and privilege escalation attacks.

The flaw affects versions ≤5.23.6 and lies in the getWindowsIEEE8021x function, where insufficient sanitization of the Wi-Fi SSID field allows attackers to execute malicious OS commands via Windows’ cmd.exe.

This highlights the need for secure coding practices when handling untrusted input.

All about the vulnerability

GitHub reports reveal the flaw in how SSIDs are processed.

The SSID is retrieved via netsh wlan show interface and passed to cmd.exe without sanitization.

This lets attackers use malicious SSID names to execute commands on the victim’s system.

Proof of Concept (PoC)

Craft a Malicious SSID: An attacker sets a hotspot SSID with a command injection payload, e.g.:
- a" | ping /t 127.0.0.1 &
- a" | %SystemDrive%\a\a.exe &
Connect to the Network: The victim connects to the malicious SSID on a vulnerable system.
Execute the Exploit: The attacker uses the vulnerable function in the package:javascriptCopy codeconst si = require('systeminformation'); si.networkInterfaces((net) => { console.log(net) });

This allows the attacker to run arbitrary commands, such as executing files or creating a continuous ping loop.

The vulnerability is critical, allowing RCE or privilege escalation based on how the systeminformation package is used.

Attackers can exploit it by injecting malicious commands via crafted Wi-Fi SSIDs, enabling unauthorized access, data theft, or disruption.

With a CVSS score of 10.0, it severely impacts confidentiality, integrity, and availability. Developers must patch their systems immediately.

Security researcher @xAiluros reported the issue and provided a proof of concept. The package author, sebhildebrandt, quickly released a patched version, urging users to update promptly.

Affected and Patched Versions