Cyber Resilience

CVE-2021-21315

HighCISA KEVActive ExploitationEUVD Exploited

Published: 16 February 2021

Published
16 February 2021
Modified
24 October 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
EPSS Score 0.9396 99.9th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21315 is a high-severity OS Command Injection (CWE-78) vulnerability in Systeminformation Systeminformation. Its CVSS base score is 7.1 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a command injection flaw (CWE-78) in the systeminformation npm package, an open-source Node.js library used to retrieve hardware, system, and OS details. It affects all versions prior to 5.3.1 and is exposed through functions that accept untrusted input for system queries.

An attacker able to supply or influence parameters to calls such as si.inetLatency(), si.inetChecksite(), si.services(), or si.processLoad() can inject operating-system commands. The CVSS 7.1 vector (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N) indicates that local, unauthenticated execution can alter integrity outside the intended security boundary, even though confidentiality and availability impacts are not scored.

The GitHub Security Advisory and accompanying commit state that the issue is resolved in version 5.3.1. As a workaround, callers must enforce that only string values are passed to the affected functions and must reject arrays; standard string sanitization is reported to be effective. NetApp and Apache Cordova lists reference the same upstream fix for downstream products.

EU & UK References

Vulnerability details

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version…

more

5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

systeminformation
systeminformation
≤ 5.3.1
apache
cordova
10.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted parameters passed to si.inetLatency(), si.services(), etc., blocking the command-injection vectors described in the CVE.

prevent

Mandates prompt installation of the systeminformation 5.3.1 patch that eliminates the command-injection flaw in the affected functions.

prevent

Enforces configuration settings that restrict callers to string-only inputs and reject arrays for the vulnerable APIs, implementing the documented workaround.

References