CVE-2026-50289 in systeminformation
Summary
by MITRE • 07/17/2026
systeminformation is a System and OS information library for node.js. Prior to 5.31.7, networkInterfaces() on Linux is vulnerable to OS command injection through the Debian/Ubuntu interfaces(5) source directive because lib/network.js checkLinuxDCHPInterfaces() reads /etc/network/interfaces, extracts a source <path> token from file content, and interpolates it unquoted into cat ${file} 2> /dev/null | grep 'iface\|source' executed by execSync(cmd, util.execOptsLinux), allowing a path containing shell metacharacters to execute commands in any process that calls networkInterfaces(), including via getStaticData() and getAllData(). This issue is fixed in version 5.31.7.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/17/2026
The systeminformation library for node.js presents a critical operating system command injection vulnerability in versions prior to 5.31.7, specifically affecting Linux systems through the networkInterfaces() function. This flaw resides in the lib/network.js file where the checkLinuxDCHPInterfaces() method processes the /etc/network/interfaces configuration file to extract source directive paths. The vulnerability stems from improper input sanitization when parsing the interfaces file, as the extracted path token is interpolated unquoted directly into a shell command execution context. When a maliciously crafted path contains shell metacharacters such as semicolons, ampersands, or backticks, these characters are interpreted by the shell during command execution rather than treated as literal filename components.
The technical exploitation occurs through the construction of the command cat ${file} 2> /dev/null | grep 'iface\|source' where the variable file contains unvalidated input from the interfaces configuration. This command is executed via execSync(cmd, util.execOptsLinux) which operates with elevated privileges depending on how the calling process is configured. The vulnerability affects all processes that invoke networkInterfaces() including those called through getStaticData() and getAllData() methods, creating a broad attack surface that can be exploited by attackers who can influence network interface configuration files or manipulate system configuration. This represents a classic command injection flaw that aligns with CWE-78, which specifically addresses improper neutralization of special elements used in OS commands.
The operational impact of this vulnerability extends beyond simple privilege escalation as it allows attackers to execute arbitrary operating system commands with the privileges of the process calling networkInterfaces(). This could enable an attacker to gain unauthorized access to system resources, exfiltrate sensitive data, establish persistence mechanisms, or perform further reconnaissance within the compromised environment. The vulnerability is particularly concerning in containerized environments where node.js applications may run with elevated privileges, and in server environments where network configuration management is automated or exposed to user input.
Mitigation strategies should focus on immediate patching to version 5.31.7 which addresses the root cause through proper input validation and sanitization of the source directive paths extracted from configuration files. Organizations should also implement additional defensive measures including restricting write access to critical system configuration files such as /etc/network/interfaces, employing principle of least privilege for node.js processes that call network information functions, and monitoring for unusual command execution patterns in system logs. The ATT&CK framework categorizes this vulnerability under T1059.006 for Command and Scripting Interpreter with specific focus on Unix Shell, while the remediation aligns with defensive techniques such as input validation and privilege reduction to limit potential impact of similar vulnerabilities in other system components.