CVE-2025-68154: systeminformation has a Command Injection vulnerability in fsSize() function on Windows

The fsSize() function in systeminformation is vulnerable to OS Command Injection (CWE-78) on Windows systems. The optional drive parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function.

Affected Platforms: Windows only

CVSS Breakdown:

• Attack Vector (AV:N): Network - if used in a web application/API
• Attack Complexity (AC:H): High - requires application to pass user input to fsSize()
• Privileges Required (PR:N): None - no authentication required at library level
• User Interaction (UI:N): None
• Scope (S:U): Unchanged - executes within Node.js process context
• Confidentiality/Integrity/Availability (C:H/I:H/A:H): High impact if exploited

Note: The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to fsSize(), it is not vulnerable.