CVE-2026-1665

A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.

CVSS

No CVSS.

References

Link	Resource
https://github.com/nvm-sh/nvm
https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506
https://github.com/nvm-sh/nvm/pull/3380
https://github.com/nvm-sh/nvm/releases/tag/v0.40.4

Configurations

No configuration.

History

No history.

Information

Published : 2026-01-29 23:16

Updated : 2026-01-29 23:16

NVD link : CVE-2026-1665

Mitre link : CVE-2026-1665

CVE.ORG link : CVE-2026-1665

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

{"id": "CVE-2026-1665", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-29T23:16:11.707", "references": [{"url": "https://github.com/nvm-sh/nvm", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/nvm-sh/nvm/pull/3380", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/nvm-sh/nvm/releases/tag/v0.40.4", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-95"}]}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de comandos existe en nvm (Node Version Manager) versiones 0.40.3 e inferiores. La funci\u00f3n nvm_download() utiliza eval para ejecutar comandos wget, y la variable de entorno NVM_AUTH_HEADER no fue saneada en la ruta de c\u00f3digo de wget (aunque s\u00ed fue saneada en la ruta de c\u00f3digo de curl). Un atacante que puede establecer variables de entorno en el entorno de shell de una v\u00edctima (por ejemplo, a trav\u00e9s de configuraciones maliciosas de CI/CD, dotfiles comprometidos o im\u00e1genes de Docker) puede inyectar comandos de shell arbitrarios que se ejecutan cuando la v\u00edctima ejecuta comandos nvm que activan descargas, como 'nvm install' o 'nvm ls-remote'."}], "lastModified": "2026-01-29T23:16:11.707", "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb"}