CVE-2026-50289

sebhildebrandt · systeminformation

The systeminformation library for Node.js is vulnerable to OS command injection due to improper neutralization of input elements.

Executive summary

An OS command injection vulnerability in the sebhildebrandt systeminformation library allows authenticated users to execute arbitrary commands on the host operating system.

Vulnerability

The vulnerability is an OS command injection flaw (CWE-78) triggered by improper handling of input during system information queries. Exploitation requires the attacker to be authenticated with low privileges, yet the impact on confidentiality, integrity, and availability is high.

Business impact

Successful exploitation allows an authenticated user to escalate privileges or execute unauthorized code within the context of the application. Given the CVSS score of 8.7, this flaw could be leveraged to gain lateral movement within the server environment, leading to significant security breaches and potential unauthorized access to system-level data.

Remediation

Immediate Action: Update the systeminformation package to version 5.31.7 or higher immediately.

Proactive Monitoring: Monitor server logs for suspicious command execution patterns or unauthorized access attempts by low-privileged user accounts.

Compensating Controls: Implement strict input validation at the application layer to ensure that only expected parameters are passed to system-level calls.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Organizations using the systeminformation library must update to the latest patched version to remove this injection vector. As this library is often a dependency, developers should perform a dependency audit to ensure all sub-components are updated to the secure version.