Command Injection Affecting systeminformation package, versions <5.31.7


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
2.08% (80th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-SYSTEMINFORMATION-17988448
  • published16 Jul 2026
  • disclosed15 Jul 2026
  • credittonghuaroot

Introduced: 15 Jul 2026

NewCVE-2026-50289  (opens in a new tab)
CWE-78  (opens in a new tab)

How to fix?

Upgrade systeminformation to version 5.31.7 or higher.

Overview

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Command Injection through the checkLinuxDCHPInterfaces() function in lib/network.js. An attacker can execute arbitrary commands by supplying a malicious source path in a Linux interfaces(5) configuration file that networkInterfaces() parses. The vulnerable code reads /etc/network/interfaces and recursively follows source directives, then interpolates the parsed path unquoted into a shell command passed to execSync(). Any process calling networkInterfaces() on a system where an attacker can influence a sourced interfaces file can be made to run injected commands with the privileges of that Node.js process.

CVSS Base Scores

version 4.0
version 3.1