systeminformation npm Package Patches Critical Linux Command Injection Flaw in networkInterfaces() — CVE-2026-44724

A critical command injection vulnerability has been identified and patched in the `systeminformation` npm package, affecting versions prior to 5.31.6. Tracked as CVE-2026-44724 (GHSA-hvx9-hwr7-wjj9), the flaw enables remote code execution on Linux systems through the `networkInterfaces()` function when processing unsanitized NetworkManager connection profile names. Sebhildebrandt's `systeminformation` library, used widely across Node.js applications for system and hardware data retrieval, ships the vulnerable code path by default on Linux distributions relying on NetworkManager for network configuration management.

The attack surface hinges on a specific input vector: maliciously crafted NetworkManager connection profile names that bypass sanitization checks inside `networkInterfaces()`. When parsed by the library, these profiles can trigger shell command injection at the application level. The vulnerability carries significant severity given the library's propagation through countless downstream packages and enterprise tooling. Patching to version 5.31.6 resolves the unsanitized input path, but any system still running older versions remains exposed to potential exploitation if attacker-controlled profile names enter the environment.

The disclosure places immediate pressure on Node.js application maintainers and DevOps teams to audit their dependency trees for `systeminformation` usage. Automated dependency scanning tools should flag versions below 5.31.6, though the library's transitive inclusion across many packages complicates visibility. Organizations with Linux-based infrastructure—particularly those leveraging NetworkManager—are advised to prioritize updates given the simplicity of the injection trigger and the breadth of systems potentially affected. The NVD entry for CVE-2026-44724 provides technical indicators for detection and remediation in production environments.