CVE-2026-44724: Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name

On Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters.

This is not caused by a caller passing attacker-controlled arguments into networkInterfaces(). The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync().

This issue was validated locally against real NetworkManager and real nmcli. Calling only:

require('./lib').networkInterfaces()

was enough to trigger execution. The injected command ran with the privileges of the calling Node.js process.

Validation was performed against real NetworkManager and real nmcli. The primary proof did not rely on a PATH stub.

Observed behavior:

• The malicious profile was accepted by NetworkManager.
• The active connection name appeared unchanged in nmcli device status.
• Calling only require('./lib').networkInterfaces() triggered execution.
• The proof artifacts were created only after the library call.
• The id output matched the calling Node.js process identity.
• The pwd output matched the Node.js process working directory.
• The environment proof demonstrated access to process-environment categories without printing secret values.

Aggregate API reachability: