OS Command Injection Vulnerability in Systeminformation Library for Node.js
CVE-2026-50289
What is CVE-2026-50289?
The Systeminformation library for Node.js is susceptible to an OS command injection vulnerability, allowing malicious actors to execute arbitrary commands. This issue arises from the improper handling of file paths within the networkInterfaces() function when executed on Linux systems. Specifically, the vulnerability occurs in versions prior to 5.31.7, where unquoted shell metacharacters in the source directive of the /etc/network/interfaces file can lead to the execution of arbitrary commands through a crafted path. This security flaw can impact any application utilizing the affected library, emphasizing the importance of updating to version 5.31.7 or later to mitigate the risk. For further details, please refer to the official advisory and the commit addressing this issue.
Affected Version(s)
systeminformation < 5.31.7
