CVE-2026-50289
JavaScript Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-50289 is an OS command injection vulnerability in the systeminformation npm package affecting its networkInterfaces() function on Linux systems. The flaw exists in versions <= 5.31.6 and was reported by researcher tonghuaroot, published to the GitHub Advisory Database on July 15, 2026 (originally disclosed June 5, 2026). It carries a CVSS v4.0 base score of 8.7 (High) (GitHub Advisory).

Détails techniques

The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). In lib/network.js, the checkLinuxDCHPInterfaces() function reads /etc/network/interfaces and, for every source <path> directive encountered, extracts the path token directly from file content and interpolates it unquoted into a shell command string: const cmd = `cat ${file} 2> /dev/null | grep 'iface\|source'`; — which is then executed via execSync() through /bin/sh. Because the path is never passed through util.sanitizeString or quoted, shell metacharacters (;, $(), backticks, |, &, redirections) in a source directive path break out of the intended pipeline and execute arbitrary commands. This is the same root-cause class as a previously fixed NetworkManager-connection-name injection in the same file; the sibling paths were remediated but the interfaces(5) source-recursion sink was overlooked. The sink is reached transitively by getStaticData() and getAllData(), meaning it is exercised during ordinary library usage (GitHub Advisory, Security Advisory).

Impact

Successful exploitation allows an attacker who can write to /etc/network/interfaces or any file transitively sourced by it to execute arbitrary OS commands with the privileges of the Node.js process calling networkInterfaces(). If the affected process runs with elevated privileges (e.g., as root in a monitoring or asset-management agent), the injected commands inherit those privileges, enabling full system compromise, data exfiltration, or persistence. Realistic targets include local inventory agents, monitoring and diagnostics backends, admin dashboards, and device-management agents — all common consumers of this library (GitHub Advisory).

Étapes d’exploitation

  1. Identify a target: Locate a Linux system running a Node.js application that uses systeminformation <= 5.31.6 and calls networkInterfaces(), getStaticData(), or getAllData() (e.g., a monitoring agent or admin dashboard backend).
  2. Gain write access: Obtain write access to /etc/network/interfaces, /etc/network/interfaces.d/, or any file transitively sourced by the interfaces configuration — for example, as a lower-privileged local user, a configuration-management hook, or a process that materializes interface snippets from semi-trusted input.
  3. Craft a malicious source directive: Write or modify an interfaces file to include a source line whose path contains shell metacharacters, such as:
    source /dev/null;id>/tmp/PWNED;echo
  4. Trigger the vulnerable code path: Wait for or trigger the target Node.js process to call networkInterfaces() (or any API that reaches it transitively). On Debian/Ubuntu, the stock layout already uses source /etc/network/interfaces.d/*, so the parser will follow the malicious directive automatically.
  5. Achieve command execution: The checkLinuxDCHPInterfaces() function interpolates the malicious path unquoted into a shell command string executed via execSync(), running the injected command with the privileges of the Node.js process (GitHub Advisory, Security Advisory).

Indicateurs de compromis

  • File System: Unexpected or newly created files in /etc/network/interfaces.d/ or modifications to /etc/network/interfaces containing source directives with shell metacharacters (;, |, &, $(), backticks) in the path token; presence of unexpected marker or output files (e.g., /tmp/PWNED) created by injected commands.
  • Process: Unusual child processes spawned by the Node.js process, such as /bin/sh, id, curl, wget, bash, or other shell utilities not expected from normal application operation; execSync calls in Node.js process traces producing unexpected subprocesses.
  • Logs: System audit logs (auditd) showing /bin/sh or shell commands executed as the Node.js service account user; Node.js application logs showing errors or unexpected output from networkInterfaces() calls; syslog entries for unexpected file creation or command execution by the application user.
  • Network: Unexpected outbound connections from the Node.js process to external IPs following a call to networkInterfaces(), which may indicate a reverse shell or data exfiltration payload was injected (GitHub Advisory).

Atténuation et solutions de contournement

Upgrade systeminformation to version 5.31.7 or later, which replaces the vulnerable cat ${file} shell string in checkLinuxDCHPInterfaces() with a non-shell fs.readFileSync() call, eliminating the injection sink (v5.31.7 Release, Fix Commit). As interim workarounds: restrict write access to /etc/network/interfaces and all sourced directories to trusted, privileged users only; run Node.js processes using systeminformation with the minimum required OS privileges (avoid running as root). Note that quoting alone is insufficient — the fix requires eliminating shell interpolation of file-derived paths entirely (Security Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté JavaScript Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54504HIGH8.8
  • JavaScript logoJavaScript
  • @andrea9293/mcp-documentation-server
NonOuiJul 15, 2026
CVE-2026-50289HIGH8.7
  • JavaScript logoJavaScript
  • systeminformation
NonOuiJul 15, 2026
CVE-2026-48795HIGH8.6
  • JavaScript logoJavaScript
  • @adonisjs/bodyparser
NonOuiJul 15, 2026
CVE-2026-50272HIGH7.5
  • JavaScript logoJavaScript
  • dd-trace
NonOuiJul 15, 2026
CVE-2026-54490MEDIUM6.3
  • JavaScript logoJavaScript
  • websocket-driver
NonOuiJul 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités