OS Command Injection Vulnerability in systeminformation Library via networkInterfaces()
A high-severity OS command injection vulnerability, CVE-2026-50289, exists in the `systeminformation` Node.js library on Linux systems, allowing an attacker who can manipulate `interfaces(5)` configuration files to execute arbitrary commands with the privileges of the calling Node.js process by injecting shell metacharacters into `source` directive paths, which are then unsafely interpolated into an `execSync()` command within the `networkInterfaces()` function.
The systeminformation Node.js library, specifically versions up to and including 5.31.6, is affected by CVE-2026-50289, a high-severity OS command injection vulnerability on Linux systems, particularly Debian/Ubuntu variants utilizing interfaces(5). The networkInterfaces() function insecurely handles paths specified in source directives within /etc/network/interfaces and transitively sourced files. When processing these configuration files to collect DHCP state, the library extracts paths from source lines and interpolates them, unquoted, into a shell command string executed via execSync(). This allows an attacker capable of placing or influencing a malicious source path to inject shell metacharacters, leading to arbitrary command execution. This vulnerability presents a significant risk to applications using systeminformation as local inventory, monitoring, or admin-dashboard backends, as successful exploitation grants the attacker command execution with the privileges of the Node.js process.
Attack Chain
- An attacker gains the ability to write to or influence the content of
/etc/network/interfacesor any file transitivelysourced by it. This could be a lower-privileged process, a configuration management hook, or a tool that materializes interface snippets from semi-trusted input. - The attacker inserts a
sourcedirective into one of these configuration files, where the path contains shell metacharacters (e.g.,/dev/null;id>${marker};echo). - A Node.js application, running on the vulnerable Linux system, invokes the
systeminformationlibrary'snetworkInterfaces()function (orgetStaticData(),getAllData()). - The
networkInterfaces()function on Linux callsgetLinuxDHCPNics(), which in turn callscheckLinuxDCHPInterfaces('/etc/network/interfaces'). - Inside
checkLinuxDCHPInterfaces(), the function reads the content of theinterfacesfile usingcat ${file} .... Thesourcedirective's malicious path is read and passed as thefileargument for a recursive call tocheckLinuxDCHPInterfaces(). - In the recursive call, the new malicious
filepath is unquotedly interpolated into anothercat ${file} 2> /dev/null | grep 'iface\\|source'shell command. - The injected shell metacharacters (
/dev/null;id>${marker};echofor example) break out of the intendedcatcommand, leading to the execution of arbitrary commands (e.g.,id) with the privileges of the Node.js process. - The attacker achieves command execution, potentially elevating privileges or performing further malicious actions.
Impact
Successful exploitation of CVE-2026-50289 leads to arbitrary command execution on the affected Linux system. Any process that calls networkInterfaces(), often found in local inventory agents, monitoring and diagnostics agents, admin-dashboard backends, or device-management software, is vulnerable. If these Node.js processes run with elevated privileges (e.g., as root), the injected commands will also execute with those elevated privileges, potentially leading to full system compromise. The vulnerability is easily triggered through ordinary usage of core systeminformation APIs, making it a critical risk for systems running vulnerable versions. The attacker gains the ability to run any command, potentially installing backdoors, exfiltrating data, or disrupting services.
Recommendation
- Patch CVE-2026-50289 immediately: Update
systeminformationto a version greater than 5.31.6 to remediate CVE-2026-50289. - Monitor for suspicious
shorbashprocess creations: Deploy theDetect CVE-2026-50289 Exploitation - Suspicious Shell ExecutionSigma rule to your SIEM. - Enable process creation logging: Ensure
process_creationlogging (e.g., Sysmon on Linux, Auditd) is enabled for Linux systems to capture shell command executions and their arguments. - Restrict write access to network configuration files: Limit write permissions to
/etc/network/interfacesand related directories (/etc/network/interfaces.d/) to only authorized administrators or processes to prevent attackers from injecting malicioussourcedirectives.
Detection coverage 1
Detect CVE-2026-50289 Exploitation - Suspicious Shell Execution
highDetects CVE-2026-50289 exploitation - processes spawned by Node.js that contain shell metacharacters, indicating OS command injection via `systeminformation` library's `networkInterfaces()` function on Linux.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
payload
| Type | Value |
|---|---|
| payload | /dev/null;id>${marker};echo |