systeminformation is a System and OS information library for node.js. Prior to 5.31.7, networkInterfaces() on Linux is vulnerable to OS command injection through the Debian/Ubuntu interfaces(5) source directive because lib/network.js checkLinuxDCHPInterfaces() reads /etc/network/interfaces, extracts a source <path> token from file content, and interpolates it unquoted into cat ${file} 2> /dev/null | grep 'iface\|source' executed by execSync(cmd, util.execOptsLinux), allowing a path containing shell metacharacters to execute commands in any process that calls networkInterfaces(), including via getStaticData() and getAllData(). This issue is fixed in version 5.31.7.
Metrics
Affected Vendors & Products
References
History
Fri, 17 Jul 2026 22:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Sebhildebrandt
Sebhildebrandt systeminformation |
|
| Vendors & Products |
Sebhildebrandt
Sebhildebrandt systeminformation |
Fri, 17 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | systeminformation is a System and OS information library for node.js. Prior to 5.31.7, networkInterfaces() on Linux is vulnerable to OS command injection through the Debian/Ubuntu interfaces(5) source directive because lib/network.js checkLinuxDCHPInterfaces() reads /etc/network/interfaces, extracts a source <path> token from file content, and interpolates it unquoted into cat ${file} 2> /dev/null | grep 'iface\|source' executed by execSync(cmd, util.execOptsLinux), allowing a path containing shell metacharacters to execute commands in any process that calls networkInterfaces(), including via getStaticData() and getAllData(). This issue is fixed in version 5.31.7. | |
| Title | systeminformation: OS command injection in networkInterfaces() via interfaces(5) source-directive path on Linux | |
| Weaknesses | CWE-78 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T19:42:41.417Z
Reserved: 2026-06-04T16:26:05.986Z
Link: CVE-2026-50289
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T21:45:03Z