CVE-2026-44724 Overview
CVE-2026-44724 is a command injection vulnerability [CWE-78] in the systeminformation Node.js library, a popular system and operating system information module. The flaw affects versions 4.17.0 through 5.31.5 on Linux systems. The library's networkInterfaces() function fails to sanitize the NetworkManager connection profile name parsed from nmcli device status output. Attackers who can influence connection profile names through shell metacharacters can inject arbitrary commands. The unsanitized connectionName value is interpolated directly into three shell command strings executed via execSync(). The maintainer released a fix in version 5.31.6.
Critical Impact
Local attackers with the ability to create or rename NetworkManager connection profiles can execute arbitrary commands with the privileges of the Node.js process consuming the library.
Affected Products
- systeminformation versions 4.17.0 through 5.31.5 (Linux only)
- Node.js applications that invoke networkInterfaces() on Linux hosts using NetworkManager
- Downstream packages and services that bundle the vulnerable systeminformation versions
Discovery Timeline
- 2026-05-27 - CVE-2026-44724 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-44724
Vulnerability Analysis
The systeminformation library exposes a networkInterfaces() function that enumerates network interfaces on the host. On Linux, the implementation calls nmcli to gather details about active NetworkManager connection profiles. The library parses the output of nmcli device status to extract the connection profile name and reuses that value when constructing follow-on shell commands. While the network interface name is sanitized before string interpolation, the connection profile name is not subject to the same treatment. The library then passes the resulting command strings to execSync(), providing a direct path from attacker-controlled input to shell execution.
Root Cause
The root cause is inconsistent input sanitization across data fields obtained from external command output. The library treats the parsed interface name as untrusted but assumes the connection profile name is safe. NetworkManager allows connection profile names to contain arbitrary characters, including shell metacharacters such as backticks, semicolons, and $(). When these characters appear in the connectionName variable, they are interpreted by the shell rather than treated as literal data. This maps to CWE-78, improper neutralization of special elements used in an OS command.
Attack Vector
Exploitation requires a local actor capable of creating or renaming a NetworkManager connection profile to include shell metacharacters. Once such a profile is active, any Node.js process that invokes networkInterfaces() from a vulnerable systeminformation version triggers execSync() with the malicious payload. The injected commands execute under the user account running the Node.js process. Server applications running as a privileged service account amplify the consequence of a successful injection.
No verified public proof-of-concept code is available. See the GitHub Security Advisory for maintainer-provided technical context.
Detection Methods for CVE-2026-44724
Indicators of Compromise
- NetworkManager connection profile names containing shell metacharacters such as `, ;, |, &, or $()
- Unexpected child processes spawned from Node.js applications shortly after calls to networkInterfaces()
- Audit log entries showing nmcli invocations followed by anomalous shell command execution
Detection Strategies
- Inventory Node.js applications and dependency trees to locate systeminformation versions between 4.17.0 and 5.31.5
- Monitor process lineage for shells (sh, bash) spawned as children of Node.js processes that import systeminformation
- Review NetworkManager connection profiles using nmcli connection show and flag any name containing non-alphanumeric metacharacters
Monitoring Recommendations
- Enable Linux audit rules on execve events originating from Node.js runtimes to capture injected command strings
- Alert on creation or modification of NetworkManager profiles by non-administrative accounts
- Centralize host telemetry to correlate connection profile changes with subsequent process execution anomalies
How to Mitigate CVE-2026-44724
Immediate Actions Required
- Upgrade systeminformation to version 5.31.6 or later across all Node.js projects and container images
- Audit existing NetworkManager connection profiles and rename any entry containing shell metacharacters
- Restrict the ability to create or modify NetworkManager profiles to trusted administrators only
Patch Information
The maintainer fixed the vulnerability in systeminformation version 5.31.6 by extending sanitization to the parsed connectionName value. Update direct and transitive dependencies by running npm install systeminformation@^5.31.6 and rebuilding affected applications. Review the GitHub Security Advisory GHSA-hvx9-hwr7-wjj9 for full remediation details.
Workarounds
- Avoid calling networkInterfaces() on Linux hosts until the dependency is upgraded
- Run Node.js applications under a low-privilege account to limit the impact of successful command injection
- Apply mandatory access controls such as AppArmor or SELinux profiles that restrict child process execution from the Node.js runtime
# Upgrade systeminformation to the patched release
npm install systeminformation@^5.31.6
# Identify NetworkManager profiles with risky characters
nmcli -t -f NAME connection show | grep -E '[`;|&$()]'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
