CVE-2026-50289: systeminformation networkInterfaces() Linux source-directive command injection
CVE-2026-50289 is verified against sebhildebrandt/systeminformation · github affected versions: <= 5.31.6 fixed version: 5.31.7 vulnerability class: Command Injection This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00291.
pruva-verify REPRO-2026-00291 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00291/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh On Linux, sebhildebrandt/systeminformation’s public networkInterfaces() API reaches lib/network.js and its DHCP interface discovery path. The vulnerable path reads /etc/network/interfaces, follows Debian/Ubuntu-style source directives, and in versions <5.31.7 interpolates a path parsed from file content unquoted into a shell command executed via execSync(). Because the parsed source path is treated as shell text rather than an argument, shell metacharacters in a source target can execute arbitrary commands as the Node.js process user.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support · claim contract · reproduction · judge · variant analysis
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.