Aikido Patches Critical Windows Command Injection in systeminformation Library (CVE-2025-68154)

A critical security vulnerability in the popular `systeminformation` library exposes Windows systems to arbitrary code execution. The flaw, tracked as CVE-2025-68154 and rated HIGH severity, resides in the `fsSize()` function. It allows for OS command injection by passing unsanitized user input via the `drive` parameter directly to underlying PowerShell commands. This creates a direct path for attackers to execute commands on the host machine.

The vulnerability was identified and patched by the security platform Aikido. The fix involves upgrading the `systeminformation` dependency from version 5.25.11 to the patched version 5.27.14. The core of the issue is a lack of input sanitization before commands are executed, a classic injection vector that is particularly dangerous when it enables interaction with the operating system shell. Successful exploitation requires that an attacker can control the input that flows into the vulnerable function.

This patch is critical for any application using the affected versions of `systeminformation` on Windows. Developers and security teams must prioritize this upgrade to mitigate the risk of remote code execution. The resolution highlights the ongoing need for rigorous input validation in libraries that perform system-level operations, especially those that interface with command-line interpreters like PowerShell.