systeminformation is a Node.js library that retrieves system and OS information. From versions 4.17.0 through 5.31.5, the networkInterfaces() method on Linux can execute arbitrary shell commands when an active NetworkManager connection profile name includes shell metacharacters. The library sanitizes the network interface name but fails to escape the parsed connection profile name, which is interpolated into three shell command strings executed via execSync(). Consequently an attacker able to influence the connection profile name can inject commands, leading to local command execution with the privileges of the running Node.js process.

The vulnerability affects the systeminformation package maintained by sebhildebrandt on Linux systems. Versions 4.17.0 up to and including 5.31.5 are vulnerable. The attack is observable when the networkInterfaces() function is called during a runtime that has execution rights over nmcli device status, and when an active connection profile name contains shell metacharacters such as ;, &, |, or $.

The CVSS score of 7.8 indicates high severity. The EPSS score is unavailable, so exploitation likelihood cannot be quantified; however, since the vulnerability requires a scenario where the application can control or influence the NM connection profile name, the attack vector is likely local but could be abused in environments where arbitrary connection names can be added (e.g., in container or VM images). The vulnerability is not listed in the CISA KEV catalog, so no known exploit activity is reported currently. The patch was released in 5.31.6, and running a newer version eliminates this risk.