The systeminformation library for Node.js versions 4.17.0 to 5.31.5 contains a command injection vulnerability in the networkInterfaces() function on Linux systems. The vulnerability occurs when NetworkManager connection profile names contain shell metacharacters that are not properly sanitized before being used in shell commands executed through execSync(). While the library sanitizes network interface names, it fails to apply equivalent sanitization to parsed NetworkManager connection profile names. This allows attackers to potentially execute arbitrary commands through maliciously crafted connection profile names. The issue affects the connectionName variable which gets interpolated into three different shell command strings. A fix has been released in version 5.31.6 that addresses this sanitization gap.