Improper Access Control in sebhildebrandt/systeminformation

Reported on May 1st 2021

✍️ Description

The systeminformation package is vulnerable to Improper Input Validation via dockerContainerProcesses function.

🕵️‍♂️ Proof of Concept

// poc.js

(async () => {
  const si = require('systeminformation');
  await si.dockerContainerProcesses([{toString: () => { console.log("This is a PoC") }}]);

💥 Impact

This vulnerability allows attackers to send an object instead of a string, which may lead to Code injection, DoS, etc.