
PEACH
Un cadre d’isolation des locataires
CVE-2026-50289 is an OS command injection vulnerability in the systeminformation npm package affecting its networkInterfaces() function on Linux systems. The flaw exists in versions <= 5.31.6 and was reported by researcher tonghuaroot, published to the GitHub Advisory Database on July 15, 2026 (originally disclosed June 5, 2026). It carries a CVSS v4.0 base score of 8.7 (High) (GitHub Advisory).
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). In lib/network.js, the checkLinuxDCHPInterfaces() function reads /etc/network/interfaces and, for every source <path> directive encountered, extracts the path token directly from file content and interpolates it unquoted into a shell command string: const cmd = `cat ${file} 2> /dev/null | grep 'iface\|source'`; — which is then executed via execSync() through /bin/sh. Because the path is never passed through util.sanitizeString or quoted, shell metacharacters (;, $(), backticks, |, &, redirections) in a source directive path break out of the intended pipeline and execute arbitrary commands. This is the same root-cause class as a previously fixed NetworkManager-connection-name injection in the same file; the sibling paths were remediated but the interfaces(5) source-recursion sink was overlooked. The sink is reached transitively by getStaticData() and getAllData(), meaning it is exercised during ordinary library usage (GitHub Advisory, Security Advisory).
Successful exploitation allows an attacker who can write to /etc/network/interfaces or any file transitively sourced by it to execute arbitrary OS commands with the privileges of the Node.js process calling networkInterfaces(). If the affected process runs with elevated privileges (e.g., as root in a monitoring or asset-management agent), the injected commands inherit those privileges, enabling full system compromise, data exfiltration, or persistence. Realistic targets include local inventory agents, monitoring and diagnostics backends, admin dashboards, and device-management agents — all common consumers of this library (GitHub Advisory).
systeminformation <= 5.31.6 and calls networkInterfaces(), getStaticData(), or getAllData() (e.g., a monitoring agent or admin dashboard backend)./etc/network/interfaces, /etc/network/interfaces.d/, or any file transitively sourced by the interfaces configuration — for example, as a lower-privileged local user, a configuration-management hook, or a process that materializes interface snippets from semi-trusted input.source directive: Write or modify an interfaces file to include a source line whose path contains shell metacharacters, such as:source /dev/null;id>/tmp/PWNED;echonetworkInterfaces() (or any API that reaches it transitively). On Debian/Ubuntu, the stock layout already uses source /etc/network/interfaces.d/*, so the parser will follow the malicious directive automatically.checkLinuxDCHPInterfaces() function interpolates the malicious path unquoted into a shell command string executed via execSync(), running the injected command with the privileges of the Node.js process (GitHub Advisory, Security Advisory)./etc/network/interfaces.d/ or modifications to /etc/network/interfaces containing source directives with shell metacharacters (;, |, &, $(), backticks) in the path token; presence of unexpected marker or output files (e.g., /tmp/PWNED) created by injected commands./bin/sh, id, curl, wget, bash, or other shell utilities not expected from normal application operation; execSync calls in Node.js process traces producing unexpected subprocesses./bin/sh or shell commands executed as the Node.js service account user; Node.js application logs showing errors or unexpected output from networkInterfaces() calls; syslog entries for unexpected file creation or command execution by the application user.networkInterfaces(), which may indicate a reverse shell or data exfiltration payload was injected (GitHub Advisory).Upgrade systeminformation to version 5.31.7 or later, which replaces the vulnerable cat ${file} shell string in checkLinuxDCHPInterfaces() with a non-shell fs.readFileSync() call, eliminating the injection sink (v5.31.7 Release, Fix Commit). As interim workarounds: restrict write access to /etc/network/interfaces and all sourced directories to trusted, privileged users only; run Node.js processes using systeminformation with the minimum required OS privileges (avoid running as root). Note that quoting alone is insufficient — the fix requires eliminating shell interpolation of file-derived paths entirely (Security Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."