Home

Description

A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.

PUBLISHED Reserved 2026-01-29 | Published 2026-01-29 | Updated 2026-01-30 | Assigner openjs




MEDIUM: 5.4CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Product status

Default status
unaffected

0.40.0 (semver)
affected

0.40.4 (semver)
unaffected

Timeline

2026-01-09:Fix committed
2026-01-29:v0.40.4 released

Credits

Jiyong Yang (sy2n0@naver.com) finder

References

github.com/...ommit/44e2590cdf257faf7d885e4470be8dc66cec9506 (Fix commit) patch

github.com/nvm-sh/nvm/releases/tag/v0.40.4 (Release v0.40.4) release-notes

github.com/nvm-sh/nvm (nvm GitHub repository) product

github.com/nvm-sh/nvm/pull/3380

cve.org (CVE-2026-1665)

nvd.nist.gov (CVE-2026-1665)

Download JSON